[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI developmental status

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: ACI developmental status
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 09 May 2005 14:19:57 -0700
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <hbf.20050509tbra@bombur.uio.no>
References: <1115649906.19476.4.camel@inyoureyes.linsolutions.com> <3DAF51312C38F4FEBAF9068B@cadabra-dsl.stanford.edu> <hbf.20050509tbra@bombur.uio.no>

--On Monday, May 09, 2005 10:37 PM +0200 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote:

Quanah Gibson-Mount writes:

With OpenLDAP 2.3, it will be possible to replace all your *.conf
files with the new back-config DB.  This will allow ACL's to be
modified on the fly, and remove the need for ACI's at all.  ACL's are
somewhat more powerful than ACI's, so I myself see little reason for
them to even remain once OL 2.3 is released.


Our site needed ACIs when employees could choose to make their
entries or selected attributes in them visible to only some people.

Well, it would be possible to introduce a 'hide' attribute instead
and insert a bunch of statements like this in slapd.conf:
     access to filter=(hide=mail:foo) attrs=mail
            by <foo> none
            by * none break
but this is not exactly elegant, it scales poorly and it's also
easy to make a typo in the ACLs.

We do this quite extensively because of US Federal Law, and Stanford internal practices. If it is designed correctly, there is no need to go back and revisit the ACL's. I also find the general belief that having lots of ACL's impacts performance holds little water in modern versions of OpenLDAP. My ACL file is 614 lines long, and contains very ugly regex's and set statements, and the systems continue to be blazingly fast. Having the rules in place have actually been extremely helpful when having to limit data exposed to applications based on private, stanford-only, and public visibilities (we have 3. ;) ).

Using your example of the mail attribute, ours looks like:

access to dn.children="cn=people,dc=stanford,dc=edu" filter=(suvisibemail=stanford) attrs=mail by dn.children="cn=accounts,dc=stanford,dc=edu" sasl_ssf=56 read by group.base="cn=stanfordauth,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read by * break

access to dn.children="cn=people,dc=stanford,dc=edu" filter=(suvisibemail=world) attrs=mail by dn.children="cn=accounts,dc=stanford,dc=edu" sasl_ssf=56 read by group.base="cn=stanfordauth,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read by anonymous read by * break

<http://www.stanford.edu/services/directory/trees/people.html> contains a list of the myriad visibility attributes we have, and what they control.

All user data is of course, filtered through an application, and no user ever is allowed to modify the directory servers directly (with the exception of myself and a few other admins. :P ).

Do you have a better suggestion for such ACLs?


No, I think it is an excellent scheme, actually.

For that matter, what if you want to allow users write access to the
access controls for their own entries?

Its true it doesn't address this, but that's one heck of a vulnerability that I wouldn't want on my systems. ;)

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- ACI developmental status
  - From: Ted Kaczmarek <tedkaz@optonline.net>
- Re: ACI developmental status
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: ACI developmental status
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: ACI developmental status
Next by Date: Re: ACI developmental status
Index(es):
- Chronological
- Thread