[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions on ACL



Jeremy Kuhnash wrote:
This is the second question in a week with basically the same content: How can you handle directory writing on a basis other than 'self' or matching a single user like manager? The openldap manual _even skips_ the 'regex' method of defining ACLs, but there must be a way to do it. I too would like users to be able to store address books in LDAP for roaming and sharing purposes ... this is huge information when being a proponent of the use of openldap over things like Lotus Domino or Msft. Exchange.

Hi,
Check the OpenLDAP Admin Guide for group based ACLs. The idea bedind this is the following:
You grant some Access to all members of a group (you can have several of these groups, lets say you have one group "secretaries" that may change phone numbers and one group "administrators" that may change uids and set passwords). These groups are objects in the directory and you can store an arbitrary number of users (less or more, you shouldn't have thousands of those) in the member attribute of the group and each of these members will get the access defined by the access control statement.



Thanks,
Jeremy

Etienne Goyer wrote:

Hi,

I am currently in the planification phase a large-scale installation of OpenLDAP for a client. The installation will be used as address book and authentification repository for various system with 12 000 users at
first (expected to grow near 100 000 in the future).


I have of the most of the issue sorted out (backup, replication, schema, etc) but I still have a few interrogations concerning ACLs.

First, can the ACL directives be stored outside of slapd.conf ?  For
obvious reasons, access to this file have to be pretty much restricted.
If not, that would forbid deleguation of ACL management.

Yes and no. The slapd.conf permits to include other files (the same as the schema), however these includes are in fact part of the slapd.conf (and you can enter here any valid slapd.conf statement).


Second, is there a way to have changes in ACLs directive applied without
restarting the service ?

No, however if you really need to change the Access control without restarting the service, you could use ACIs. The documentation on this issue is extremely sparse and the ACIs operate on a per-Object basis (so administration of ACIs is a nightmare unless you have a program that does that for you).


To my experience group ACLs are flexible enough for most purposes (you can easily change the group members on runtime), but your mileage may vary.

Third, is there a performance penalities for having a lot of ACL
directives ?  As a side question, how are ACL processed ?  Are they
applied before the search or on the results set ?

They are applied on the result set. Having a lot of ACLs may reduce the performance (but a faster CPU might help here).


Thanks for your insight.  Pointer to doc explaining these issue are
welcome.  So far, my search for answers to these questions have been
fruitless.

The OpenLDAP Administrator's guide is really a good source of information about ACLs. Additionally a man slapd.access might help.


Yours
Stephan Siano