[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6198) Authorization for extensions

Michael Ströder wrote:
> Howard Chu wrote:
>> Ugh, no. There's no way any sysadmin is going to remember what each OID
>> means.
> There are tools to display them:
> http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base
> There also could be GUI tools to display ACLs to humans.

None of which may be accessible when trying to diagnose a crashed system. It 
must always be practical to manually edit a slapd configuration.

>> Each exop will be given a "friendly name" like WhoAmI, ModifyPwd,
>> etc.

> Who maintains the list of friendly names? Yes, the OpenLDAP project can
> maintain a proprietary list like all other LDAP vendors do. :-(
> Probably that's another topic for cross-vendor coordination...

Interoperability is not a requirement for slapd configuration elements. 
However, any shortname already present in RFCs would be obvious first choices. 
E.g., "passwdModify" (RFC 3062, section 2) and "whoami" (RFC4532, section 2) 
(derived by dropping the letters "OID" from the name of the OID definition). 
Or just accept any oidmacros, as some of the other config items already do.

On that score I believe we should promote more pervasive use OID macros 
instead of numeric OIDs, because that greatly enhances comprehension by human 
administrators. I believe we should define macros for all of the syntaxes etc. 
already in common use in slapd and document them, guaranteeing that they will 
be available for everyone else who uses OpenLDAP to also take advantage of 
them. (Note that back-config already has several hardcoded, but they're 
decorated with "OM" prefix and not documented for public consumption. For real 
use they should be unadorned, using plain names such as "integer" or 
"directoryString" ...)

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/