[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config

To: <Kurt@OpenLDAP.org>
Subject: Re: Access Control development and cn=config
From: "Lon Tierney" <ltierney@mykungfuisthebest.net>
Date: Mon, 24 Mar 2003 14:20:52 -0800 (PST)
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.2.0.9.0.20030323104418.01a39008@127.0.0.1>
References: <5.2.0.9.0.20030323104418.01a39008@127.0.0.1>

> However, another approach would be move our slapd.conf(5)-based
> access control directives (and everything else) out of a file
> and into the directory.  This seems like a fairly pragmatic
> approach.

The other approach mentioned was to use a Policy Server. This is the
approach that we (my employer) are taking for our product. My guess is
that it will support some standard, like oh, maybe XACML.
It would be nice if OpenLDAP used an interface for an authorization
plugin. The initial implementation could read the ACIs out of the conf
file, but future implementers could decide to use an off-the-shelf Policy
Server. Or, one could define the policy in the LDAP itself and the plugin
would just read from the server database... Then the changes could be made
via LDAP calls, but would become active when they are read...
-lon

References:
- Access Control development and cn=config
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: Access Control development and cn=config
Next by Date: Re: Access Control development and cn=config
Index(es):
- Chronological
- Thread