directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Blanchard <>
Subject Re: ACLs questions
Date Tue, 17 May 2005 17:47:19 GMT
I have no idea on  how to do those things now but a thing that I can do 
is to point out the security requirement  that I told about in a mail on 
this thread.
A duplication of the tree should duplicate ACLs.
So subentries look better for this.
Meanwhile, a duplication could also transfer a configuration file 
instead... But how ?

Best regards
Tony Blanchard

Marc Boorshtein a écrit :

>>X.500 subentries are recommended to store various
>>information for an 
>>autonomous administrative area.  The area can be for
>>schema, ACLs, or 
>>collective attributes.  The area of coverage for the
>>information in the subentry is defined by the
>>subtree specification 
>>which includes parameters for chop before, chop
>>after, and subtree 
>>refinements.  This is all X.500 stuff that the LDAP
>>community is 
>>reintroducing today.  One can almost say there is a
>>subtle convergence 
>>going on. 
>Well, there's allways a difference between
>"theoretical" truths and "practical" truths.  While it
>might seem that it makes the most sence to store ACL
>entries in a subtree, the implementation and
>performace is not practical.  
>For instance, what if you have an ACL that defines a
>restriction on reads of the "sn" attribute for
>anything subtree of "dc=domain,dc=com".  When
>processing the entry
>"uid=test,ou=Users,dc=test,dc=domain,dc=com".  You
>could allways travers the DN backworkds to get all the
>ACLs and cache those acls so you don't need to find
>them again in the request, but that seems like a lot
>of overhead (on top of the ACL processing overhead).
>A second practical issue is managment.  Instead of
>managing all your ACLs in one place, now you have to
>manage it on each node.  Seaches could show you all of
>the acls in a single report, but now it makes
>management a bit harder.
>Finally, what about custom partitions and remote
>services? (LDAP Proxy, DB Partition).  Now you need
>each partition to be responsible for it's own ACL
>So while in a stand alone directory environment with
>simple ACLs using a sub entry may be the easiest way
>to go, but when you have a large envuronment with
>other types of partitions this could become combersome
>>If you want to commit to something we can explore
>>subentries together first.  Next we need to include
>>support for schema 
>>structures for subtree specifications and algorithms
>>for subtree entry 
>>set inclusion evaluation.  Finally we can begin
>>talking about 
>>implementing the actual ACL mechanism - IMO the ACL
>>mechanism can be 
>>developed in parallel and stored somewhere else
>>until we complete these 
>>components in parallel.  This way Tony can begin
>>working with us as well.
>As much as I would like to contribute, I simply don't
>have time to share anything but my experience.

View raw message