[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI module

To: Brian Empson <brian_empson@yahoo.com>
Subject: Re: ACI module
From: Howard Chu <hyc@symas.com>
Date: Sun, 14 Oct 2012 05:40:52 -0700
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <1350176830.76509.YahooMailNeo@web120204.mail.ne1.yahoo.com>
References: <1350176830.76509.YahooMailNeo@web120204.mail.ne1.yahoo.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/18.0 Firefox/18.0 SeaMonkey/2.15a1

Brian Empson wrote:

Is it possible to load ACI support as a module? It would really help when
installing from a precompiled package, all of which seem to turn off this very
powerful feature. (I really like it anyway)

The source code is there, build it however you like. One of the reasons opensource software exists is to free you from whatever limitations are imposed bya binary provider. If you tie yourself to precompiled packages that don't doexactly what you want, you're somewhat missing the point.

ACIs are a security liability from a centralized administration perspective.They are intrinsically difficult to audit and difficult to track. Use of ACIscan make it impossible to prove that a given deployment correctly implements aformally defined security policy. IME, people who are fond of ACIs eitherdon't understand the security risks, or don't care.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- ACI module
  - From: Brian Empson <brian_empson@yahoo.com>

Prev by Date: ACI module
Next by Date: Open LDAP sometimes "Can't contact LDAP server"
Index(es):
- Chronological
- Thread