[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking write permission from a perl script

To: Dustin Sallings <dustin@spy.net>
Subject: Re: Checking write permission from a perl script
From: Gerrit Thomson <334647@swin.edu.au>
Date: Sat, 06 May 2000 23:02:17 +1000
Cc: Chris Garrigues <cwg-dated-5458d5d3d4b9d638@DeepEddy.Com>, openldap-general@OpenLDAP.org
References: <Pine.SGI.3.95.1000504125337.24599B-100000@bleu.west.spy.net>

I agree,
   the access controls in many services such as the ldap service are limited
and for performance reasons should be used in a minimalistic manner. Therefore
the user interface should control the accessability to information then act as
a proxy to perform the modifications for the requester.

Some will say that the access controls of open ldap are extensive particular
if using group memeberships as part of the access control rules, yes but the
performance is inhibited by the methods used to determine groups memberships.
For this reason I have deployed master slave services where the master is used
for all updates and has all the access controls under sun but the slaves,
being used for reading only by particular clients, have very minimalistic
acl's.

I recently attempted to track down the code used to determine if an attribute
has an index and to then use it with a view to patching the process into the
acl determination. After half an hour I finally tracked it down. I ran out of
time to try a patch but I beleive it could be done but there would negative
performance gains if the groups used are small. My gut reaction would be that
it would be worth while to try.

Cheers,
     Gerrit Thomson.

Dustin Sallings wrote:

> On Thu, 4 May 2000, Chris Garrigues wrote:
>
> # >     I'm having a hard time imagining where that would be useful.  What
> # > are you trying to do?
> #
> # I don't want to offer to my user the opportunity to change things that
> # can't be changed.
>
>         Ahh...that makes sense.  You need to be prepared for the thing to
> fail either way, but from a UI point of view, it is a good idea to just
> not show something.  The way I handle that in my own tools is to have the
> interface understand what groups are allowed to do which things, and have
> the list of groups the user is in stored in the application.  Then I just
> do something like (obviously pseudo-code):
>
>         if(user_is_in_group("blah")) {
>                 showOption("options_requiring_blah");
>         }
>
> --
> SA, beyond.com           My girlfriend asked me which one I like better.
> pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
> |    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE
> L_______________________ I hope the answer won't upset her. ____________

References:
- Re: Checking write permission from a perl script
  - From: Dustin Sallings <dustin@spy.net>

Prev by Date: Re: Using ldap urls with Java JNDI
Next by Date: special letters
Index(es):
- Chronological
- Thread