Page Operations
Browse Space
Problem Statement
While trying to implement the ACI based authorization service we encountered some problems. Namely how do we correlate intercepted method calls with LDAP operations. The relationships are not one to one. The following LDAP operations can directly be correlated with intercepted methods:
| LDAP Operation | Intercepted Methods |
|---|---|
| Add | add(String,Name,Attributes) |
| Del | delete(Name) |
| Modify | modify(Name,int,Attributes), modify(Name,ModificationItem[]) |
| ModifyDn | modifyRn(Name,String,boolean),move(Name,Name),move(Name,Name,String,boolean) |
| Search | search(Name,Map,ExprNode,SearchControls) |
The following LDAP operations do not presently correlate to intercepted methods:
- Abandon
- Bind
- Compare
- Extended
- Unbind
The following permissions exist for X.501 grants and denials:
- Add
- DiscloseOnError
- Read
- Remove
- Browse
- Export
- Import
- Modify
- Rename
- ReturnDN
- Compare
- FilterMatch
- Invoke
Note that there is no way to have the authorization interceptor "intercept" a compare opertation and do its magic.
Quick Fix Solution
We decided to add a compare() operation to the Interceptor interface and introduce the compare() method in the ServerLdapContext implementation to call the nexus proxy compare(). This way compare operations will be processed by server's core with the intervention of interceptor services.