[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: apping ACLs to groupmembers



Andreas Schuldei wrote:

On Sat, Mar 05, 2005 at 02:12:37PM -0800, Howard Chu wrote:


Andreas Schuldei wrote:



i use the debian packages, which dont have ACIs compiled in
(since they are experimental and about to change soon, i hear).



There are no user-visible changes to ACI support planned. The change I was referring to is to allow dynamic (runtime) changes to regular ACLs. (At that point, I imagine the need for ACIs will vanish, but that's a different matter.)



so does that mean that they will no longer be marked experimental?

"experimental" means they were written freely picking from an internet draft which later expired without resulting into an RFC, so they're not based on any standard track.

that would certainly convince the debian package
maintainers to activate this feature.


I see no reason not to build them, because they cannot be used unless explicitly allowed in slapd.conf, so there shouldn't be any security threat. I know of people that are using them routinely and are (almost) happy with them. I've played with them a bit (but not in production). In 2.3 they changed quite a bit in a manner that should be totally transparent to users: there are selected new features, but the nice part is that they moved into a run-time loadable framework that allows user-defined access rules to be plugged in slapd.

or did you imply that ACIs will be removed because they will be
obsolete?


Unless they become incompatible with something else, they will not likely be removed.

how could ACLs solve my access problems i described? If i could
do with ACLs that would be preferable.


You'll need to wait for back-config to stabilize and get into a release. Could make it into 2.3, but not quite soon, as far as I can tell. It will, at some point.

Writable access rules via protocol will never be a complete replacement of ACIs, they're somehow orthogonal. Writable access rules will likely simply allow run-time changes to configuration.

p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497