[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynamic ACLs

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: dynamic ACLs
From: Stig Venaas <Stig@OpenLDAP.org>
Date: Sun, 9 Sep 2001 11:12:16 +0200
Cc: Dane Foster <dfoster@equitytg.com>, openldap-software@OpenLDAP.org
In-reply-to: <001701c138e8$5a525d80$0c01a8c0@fiddle.symas.com>; from hyc@highlandsun.com on Sat, Sep 08, 2001 at 09:31:54PM -0700
References: <004801c138c2$3dd33fb0$1000a8c0@STATION1> <001701c138e8$5a525d80$0c01a8c0@fiddle.symas.com>

On Sat, Sep 08, 2001 at 09:31:54PM -0700, Howard Chu wrote:
> I personally grew up on systems that supported ACLs and I'm very comfortable
> using them, but I don't see any actual *need* for them. You can achieve
> pretty
> good dynamic access control by defining a good set of static rules and
> assigning
> privileges to groups - your dynamic control arises from dynamically
> controlling
> the group memberships. Algebraically the two approaches are equivalent.

Yes, this works pretty well. What I miss the most perhaps is a way to
change the rules in slapd.conf without restarting the server. It would
be neat if slapd could use a signal to tell it to reread slapd.conf, at
least the ACLs. I suppose I can implement it if I really want it... I
suspect there might be some issues regarding how updated rules should
affect existing connections. 

Another idea that popped into my head was to store the ACLs we use today
in the directory and have dynamic update of those. This is not that much
more complex than the first idea.

I'm not sure if it's worth to pursue this, or if should rather go
straight for the full blown ACI solution.

Stig

Follow-Ups:
- Re: dynamic ACLs
  - From: David Olivier <David.Olivier@univ-lyon2.fr>
- RE: dynamic ACLs
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- dynamic ACLs
  - From: "Dane Foster" <dfoster@equitytg.com>
- RE: dynamic ACLs
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: dynamic ACLs
Next by Date: Re: dynamic ACLs
Index(es):
- Chronological
- Thread