[Date Prev][Date Next]
Re: (ITS#6487) Nssov pam_authz authorizedUserService
> This patch was rejected. The functionality it offered was already
> provided by the slapd ACL engine.
Could I ask you to reconsider your position on using ACL's? Using ACL's for
this kind of thing is a little bit like asking the security guard that
makes your entry badge also be in charge of all of your HR data and
documents. I understand the ACL engine may be quick but it completely
defeats the purpose of having a centralised directory. What if I want
directory administrators to be able to edit host permissions but I don't
want them to have root so they can edit slapd.conf or change the SLAPD
configuration? what if I cant even use the modern configuration because
overlays I want to use don't support it and I am forced to use slapd.conf?
It also moves away from the model of having data about the host in one dn:
cn=host,dc=example,dc=com entry to now having pretty vital information
about the host moved completely out of the directory itself and into the
directory server's configuration. That surely can't be a good thing. What
if I want to move from OpenLDAP to some other server?