Next: AACLS Syntax Up: AACLS schema and syntax Previous: AACLS schema and syntax Contents

AACLS Concept

The main idea of AACLS is relationship between entries. An AACL works with :

the author which is the DN passed through the auth method of the LDAP server,
the target which is the DN of the entry on which the operation is tried,
one or more attributes on which the operation is tried,
the operation,
and a relation.

The AACL checks if the author and the target are linked through the relation. Of course the operation needs to be allowed on the specified attribute(s). The operation is allowed through the "rights" attribute.

By default, nothing is possible. Each AACL is tried successively. If one of them authorized the operation, the result is immediately sent back. When the AACLS server has tried each AACL with no authorization, it fails.

Both of the author and the target are described with a base and a filter. Only the base of the target is mandatory.

root 2004-01-21