[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACIs and OL 2.3, rfc ?
Piotr Wadas wrote:
Regarding "broken ACI concept" - does any rfc
speaks something about concept of dynamically assigned priviledges
to ldap directory entries? Or does it recommend avoiding
such policies?
AFAIK, nothing made it into an RFC; what OpenLDAP's ACIs are (loosely)
based on is <draft-ietf-ldapext-aci-model-0.3.txt>. Other implementors
do have ACIs and, in some cases, they're the preferred means to control
access. This doesn't mean ACIs has to be the preferred implementation
of access control.
IMHO, the most appealing feature of ACIs is the fact that in principle
access rules get replicated along with data. However, the lack of a
standard defeats this purpose when getting to cross-implementation
replication, migration and so. Moreover, one might want to have
different access rules for different shadows of the same database.
Finally, right now access control on OpenLDAP's slapd can be modified
without the need to stop and restart it, by means of cn=config; there is
work in progress to allow configuration replication. As such, OpenLDAP
offers better means to achieve the same purpose without ACIs, with the
access determinism guaranteed by avoiding the use of ACIs.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------