directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@yahoo.com>
Subject Re: [apacheds] ACL implementation options (was ACLs questions)
Date Wed, 18 May 2005 10:43:56 GMT

> I think ACLs with OpenLDAP are too much complicated
> and the declaration 
> order notion of ACLs in OpenLDAP seems to me
> dangerous in some ways...
> And the OpenLDAP file format is not realy java nor
> modern...
>

I don't know much about the openldap acl model, but
here's the draft I was looking for.  I don't think it
should be followed to a "T", but it should be a good
starting point.  

http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-ldapext-acl-model-08.txt

One nice thing about this is it defines a way (albeit
pretty hard to read) to define an ACI on a single
line.

 
> >
> 
> I have a question about this. It may be naiv  but
> what about  computing 
> ACLs from  ACLs storage (subentries or other) at
> authentication time. 
> Once authenticated, ACLs are computed from the point
> of view of the 
> authenticated user and then attached to the
> principal ?

1. This would probably be very "slow" as binds are one
of the most often used operations
2. What if the ACL changes while the user is bound? 
Cacheing ACL information can be very dangerous 

I also don't think keeping the acls in memory would
hurt replication.  If the interceptor added the acl
informatin in the appropriate circumstances then it
wouldn't really matter as to where they are stored.

I think it boils down to the question of "Are ACLs
configuration or data?"  If they are configuration,
then they should be treated as such (and in a multi
server environment there will allways be an issue of
configuration management).  If it is data then it
should be included in replication.  Outside of
debugging a directory deployment, how often do ACLs
change?  Most deployments i've seen they really don't
change all that often.

marc




Mime
View raw message