I think having ACI on bind operation is very useful. Especially when it has policy like mature features. For example think of ACI's(or other type of rules) which determine and restrict user authentication based on Client IP, UserDN, Time, comparing an arbitrary user attribute with a value, Role or Group Membership, or other possible constraints.
These ACL decisions should came before accepting connection, successful authentication or - after authentication and right before any read/write/search/compare/... like operations.
This proposal came after some enterprise project we were involved and the requirements that 389ds did not have which could improve usability, functionality and security.
I've posted some scenarios in https://fedorahosted.org/389/ticket/49036 which could help understand the nature of the problem.
Metadata Update from @msarmadi: - Issue set to the milestone: FUTURE
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue close_status updated to: None - Issue tagged with: RFE
Metadata Update from @mreynolds: - Issue tagged with: Access Control
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2096
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.