Access Control development and cn=config

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Add ODD/SFO, we had an interesting discussion about how to
allow dynamic update of access controls.  The traditional
approach, of course, is to implement some form of 'aci'
attributes, such as discussed (in now dead) LDAPEXT WG
or described in the draft-legg-ldap-acm drafts (X.500
basic access controls).  The basic access control model
is, of course, quite complex.

However, another approach would be move our slapd.conf(5)-based
access control directives (and everything else) out of a file
and into the directory.  This seems like a fairly pragmatic
approach.

Anyways, it would be interesting to pursue a slapd.conf(5)-less
slapd(8).   Initially the server would start up without no
configuration, listening only on ldapi:// and running with
access controls allowing only the owner of slapd(8) process
to read/write to the directory (use ldapi:// SASL/EXTERNAL for
authentication).   Then, by a series of LDAP add, modify, and
extended operations, the owner could configure the directory
as desired.  In general, changes to configuration items would
take effect immediately.  So, adding an ACL would change the
policy being enforced.

And to persist the configuration between slapd(8) instances,
the configuration would be written to disk (LDIF) or database
files.  While an admin could, in theory, muck with these
files, that practice would be undocumented and unsupported.

I'm thinking that LDAP administration would, besides allowing
for dynamic update of configuration information (including ACLs),
it would ease development of slicker administrative tools,
including GUI and/or remote tools.

Anways, this is mainly food for thought, as I don't have time to
commit to development in this area.  If there are others interested
in developing in this area, please jump on in.

Kurt