[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree ACIs

To: Ralf Haferkamp <rhafer@suse.de>
Subject: Re: Subtree ACIs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 15 Jul 2003 09:54:15 +0200
Cc: OpenLDAP Devel <openldap-devel@OpenLDAP.org>
In-reply-to: <20030714163148.GA10027@suse.de>
References: <5.2.0.9.0.20030714163722.01c68c80@127.0.0.1> <5.2.0.9.0.20030714062216.01bec320@127.0.0.1> <20030711102813.GB3919@suse.de> <5.2.0.9.0.20030714062216.01bec320@127.0.0.1> <5.2.0.9.0.20030714163722.01c68c80@127.0.0.1>

At 06:31 PM 7/14/2003, Ralf Haferkamp wrote:
>On Mon, Jul 14, 2003 at 04:50:22PM +0200, Kurt D. Zeilenga wrote:
>> At 04:29 PM 7/14/2003, Ralf Haferkamp wrote:
>[..]
>> >Thanks for the pointer. I've take a look at the drafts. If I understood
>> >it correctly it makes use of Subentries when defining ACIs that scope more
>> >than one entry, is this correct? If yes, is there any subentry support in
>> >the current HEAD code? 
>> 
>> The X.500 model supports both "entry" and "perspective" ACIs, the
>> former held in entries the later in subentries.  This separation
>> is key to supporting access control delegation.
>
>But "perspective" ACIs are the only ones which can apply to multiple
>Entries (the ones that are in the scope of the subentry), right? (Just
>asking for comfirmance if I understood this part correctly).

First, s/perspective/prescriptive/ above.  Sorry.

Yes.

>There is
>nothing like a "subtree"-ACI which is stored in the entry itself, is there?
>(Wouldn't make a lot of sense in my opinion) 

Well, perscriptiveACIs are like a "subtree"-ACI except it is held
in a subentry instead of the base of the subtree AND a subtree
refinement can be prescribed.


>[..]
>> >Is it intended to remove the current implementation in favour of a solution
>> >that implements the ACMs specs in the future?
>> 
>> The current implementation is experimental.  To that extent,
>> it has fulfilled its purpose (to experiment with in-directory
>> ACIs).
>> 
>> As far as the future goes, I personally favor* implementing the
>> X.500 ACM as its complexity is well understood and proven.  I
>> rather avoid re-inventing the unavoidable complexity of a robust
>> access control model.  My approach was to first implement
>> collective attributes (w/ subentries) [as it is a simple X.500
>> administrative model] and then implement X.500 basic access controls.
>Can you sumarize how much (if any) of this is already implemented in the
>current code?

Very little.

>Seems that the schema definitions for collective attributes
>are already there. There are as well already a few #ifdefs  related to
>subentries in back_bdb, but not much more. Is this correct, or did I
>overlook something.

No.  The next step is to implement basic subentry support
(with no or very limited subtree refinement).

>> As I am swamped with other things, I'm quite open to alternative
>> approaches offered by those with more time/energy to work in
>> the access control area.
>> 
>> One other approach which was discussed at ODD/SFO was
>> solving this problem via a "configuration" backend which
>> virtualized our current slapd.conf(5) access controls.  That
>> seems like a fairly pragmatic approach.
>This sounds appealing as well.
>
>-- 
>Ralf Haferkamp
>
>SuSE Linux AG                                    - The Linux Experts -
>Deutschherrnstrasse 15-19                         http://www.suse.com
>D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0

References:
- Re: Subtree ACIs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Subtree ACIs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subtree ACIs
  - From: Ralf Haferkamp <rhafer@suse.de>
- Re: Subtree ACIs
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: Re: Subtree ACIs
Next by Date: RE: using callback mechanism
Index(es):
- Chronological
- Thread