Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%20rights%20based%20on%20relationships) Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing.
The main problem with sets: They are slow - I mean really slow.But if high performance is not your main goal you can set up very paranoid access control with sets.
I will show a demo of a similar setup this weekend at the OpenLDAP booth at Chemnitzer Linuxtage:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 See also my presentation of this stuff this Sunday: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/135 Ciao, Michael. -- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature