directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <aok...@bellsouth.net>
Subject Re: ACLs questions
Date Wed, 18 May 2005 00:28:40 GMT
Tony Blanchard wrote:

> Please take a look at : 
> http://www.blacksheepnetworks.com/security/resources/securely-implementing-ldap.html

Nice link ... has a few links to other articles that are great reading 
... I recommend it for everyone.  I must have read these 5 times 
already.  With my short memory it helps to pound it into my head :).

> It does not talk exclusively on ACLs but there is a good point to 
> remember about it and there are some good links to other documents :
>
> "Many of the currently available LDAP products allow the 
> implementation of replication over SSL. However most do not duplicate 
> ACL information during the replication. This could result in an 
> insecure instance of a directory. If access control is important in 
> the specific implementation of the directory, make sure the ACL 
> information is duplicated."

Yah I agree with this completely.  Actually there is an RFC out there 
that makes several recommendations regarding ACLs.  It does not tell you 
exactly how to implement access controls or where to stick them but it 
might be worth looking at.  Let me see ....


http://www.faqs.org/rfcs/rfc2820.html


I could not find anything in it specficially about replication and ACLs 
but it does talk specifically about ACLs and subtrees.   It's clearly 
meant to be a very loose RFC. 


I think better clues about how to best manage and store ACLs can be 
found in the LDUP/LCUP specifications for replication.  This RFC does 
not really talk about AC mechanisms that best support replication.  As 
an algorithm/process for replication it gives us clues about why we 
should include the ACI/ACL with the replicated subtree.  Just for the 
record here's that RFC ...


http://www.faqs.org/rfcs/rfc3928.html


After reading this the first time (still having trouble understanding it 
:)) I quickly realized that ACI/ACL information should replicate with 
what it controls access to.


Regards,
Alex


Mime
View raw message