[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL optimization

To: ldap@fadesa.es
Subject: Re: ACL optimization
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 03 Aug 2005 08:59:38 -0700
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <37558.131.175.154.56.1123080061.squirrel@131.175.154.56>
References: <42F08EC4.A79C75F9@fadesa.es> <37558.131.175.154.56.1123080061.squirrel@131.175.154.56>

--On Wednesday, August 03, 2005 4:41 PM +0200 Pierangelo Masarati <ando@sys-net.it> wrote:

If you could simplify your rules by using the value of "host" as the  "cn"
of the identity that's allowed write access to that host, e.g.

<snip>
access to dn.children="ou=people,ou=accounts,dc=domain"
                filter=(&(host=server1)(fpstatus=active))
attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerso
n,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags         by
dn.exact="cn=server1,ou=acl,dc=domain" ssf=128 read
        by * none break

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter=(&(host=server1)(fpstatus=active))
        by dn.exact="cn=server1,ou=acl,dc=domain" ssf=128 write
        by * none break
</snip>

and if you use OpenLDAP 2.3, you could use these two rules instead of
yours:

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter="(fpstatus=active)"
attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerso
n,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags         by
set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128 read
by * none break

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter="(fpstatus=active)"
        by set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128
write         by * none break

You need OpenLDAP 2.3 because in earlier versions no "+" operator was
available in sets.  Please note that the literal portions of the DN that
go into square brackets must be normalized, because DN comparison is done
with the normalized DN of the user, but no normalization occurs in sets.

Aside from ACL's, another thing to look at is your idlcache. Since you didn't post what your idlcache/cachesize settings were for the OpenLDAP server, it is hard to give any advice on that, though.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin

Follow-Ups:
- Re: ACL optimization
  - From: "José M. Fandiño" <ldap@fadesa.es>

References:
- ACL optimization
  - From: "José M. Fandiño" <ldap@fadesa.es>
- Re: ACL optimization
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Deleting a DN with leading Space Character
Next by Date: Getting Replication to work
Index(es):
- Chronological
- Thread