directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Blanchard <>
Subject Re: ACLs questions
Date Tue, 17 May 2005 13:58:30 GMT
Sorry first but there are some shortcuts I don't undertsand. IMO ?

Alex asked me to find for some performance implications and for some 
weakness or strength  in ACLs.
I just found now some forums threads which talked about ACLs.
A short summary could be :

-ACLs may not be to much coarsed grained.
-ACLs must not be viewable except from admin.
-A user should not be able to change its uid to obtain more access rights.

As I am not a specialist, I looked for some good document about security 
and ACLs or LDAP and I think I found it.
Please take a look at :

It does not talk exclusively on ACLs but there is a good point to 
remember about it and there are some good links to other documents :

"Many of the currently available LDAP products allow the implementation 
of replication over SSL. However most do not duplicate ACL information 
during the replication. This could result in an insecure instance of a 
directory. If access control is important in the specific implementation 
of the directory, make sure the ACL information is duplicated."
I think this should be a requirement or the futur ACLs.

Hope this help,
I will look again for some other informations.
Tony Blanchard

Alex Karasulu a écrit :

> Marc Boorshtein wrote:
>>>> 2 - What about having an "openLDAP like"
>>> simplified ACL mechanism ?
>>> I don't know I have not put enough thought to this
>>> because there are so many things standing in my way right now like
>>> implementing subentires so we can store ACLs ;).  However going with 
>>> their
>>> scheme might be a good idea.  Can you take the time to research the
>>> strengths and weaknesses with this approach?
>> just a note.  i don't think you'd want to store an ACL
>> entry as a subtree on an entry.  ACL's can have scope,
>> so if you store it at the entry level then you'll need
>> to find the correct entries to determine the correct
>> access controls.
> X.500 subentries are recommended to store various information for an 
> autonomous administrative area.  The area can be for schema, ACLs, or 
> collective attributes.  The area of coverage for the contained 
> information in the subentry is defined by the subtree specification 
> which includes parameters for chop before, chop after, and subtree 
> refinements.  This is all X.500 stuff that the LDAP community is 
> reintroducing today.  One can almost say there is a subtle convergence 
> going on.
> If you want to commit to something we can explore implementing 
> subentries together first.  Next we need to include support for schema 
> structures for subtree specifications and algorithms for subtree entry 
> set inclusion evaluation.  Finally we can begin talking about 
> implementing the actual ACL mechanism - IMO the ACL mechanism can be 
> developed in parallel and stored somewhere else until we complete 
> these components in parallel.  This way Tony can begin working with us 
> as well.
> Cheers,
> -Alex

View raw message