[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config



At 02:20 PM 3/24/2003, Lon Tierney wrote:
>> However, another approach would be move our slapd.conf(5)-based
>> access control directives (and everything else) out of a file
>> and into the directory.  This seems like a fairly pragmatic
>> approach.
>
>The other approach mentioned was to use a Policy Server. This is the
>approach that we (my employer) are taking for our product. My guess is
>that it will support some standard, like oh, maybe XACML.
>It would be nice if OpenLDAP used an interface for an authorization
>plugin. The initial implementation could read the ACIs out of the conf
>file, but future implementers could decide to use an off-the-shelf Policy
>Server. Or, one could define the policy in the LDAP itself and the plugin
>would just read from the server database... Then the changes could be made
>via LDAP calls, but would become active when they are read...
>-lon

Roland actually is doing work in this area (using SPOCP).  He
didn't create an access control plugin interface but its a
logical next step.

Kurt