Re: Questions on ACL

[Jeremy Kuhnash <lists@planetzed.net>]

This is the second question in a week with basically the same content: 
How can you handle directory writing on a basis other than 'self' or 
matching a single user like manager?  The openldap manual _even skips_ 
the 'regex' method of defining ACLs, but there must be a way to do it. I 
too would like users to be able to store address books in LDAP for 
roaming and sharing purposes ... this is huge information when being a 
proponent of the use of openldap over things like Lotus Domino or Msft. 
Exchange.

Thanks,
Jeremy


Etienne Goyer wrote:

> Hi,
>
> I am currently in the planification phase a large-scale installation of 
> OpenLDAP for a client.  The installation will be used as address book 
> and authentification repository for various system with 12 000 users at
> first (expected to grow near 100 000 in the future).
>
> I have of the most of the issue sorted out (backup, replication, schema, 
> etc) but I still have a few interrogations concerning ACLs.
>
> First, can the ACL directives be stored outside of slapd.conf ?  For
> obvious reasons, access to this file have to be pretty much restricted.
> If not, that would forbid deleguation of ACL management.
>
> Second, is there a way to have changes in ACLs directive applied without
> restarting the service ?
>
> Third, is there a performance penalities for having a lot of ACL
> directives ?  As a side question, how are ACL processed ?  Are they
> applied before the search or on the results set ?
>
> Thanks for your insight.  Pointer to doc explaining these issue are
> welcome.  So far, my search for answers to these questions have been
> fruitless.
>  
>
>