[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6487) Nssov pam_authz authorizedUserService

> This patch was rejected. The functionality it offered was already 
> provided by the slapd ACL engine.
Could I ask you to reconsider your position on using ACL's? Using ACL's for 
this kind of thing is a little bit like asking the security guard that 
makes your entry badge also be in charge of all of your HR data and 
documents. I understand the ACL engine may be quick but it completely 
defeats the purpose of having a centralised directory. What if I want 
directory administrators to be able to edit host permissions but I don't 
want them to have root so they can edit slapd.conf or change the SLAPD 
configuration? what if I cant even use the modern configuration because 
overlays I want to use don't support it and I am forced to use slapd.conf?

It also moves away from the model of having data about the host in one dn: 
cn=host,dc=example,dc=com entry to now having pretty vital information 
about the host moved completely out of the directory itself and into the 
directory server's configuration. That surely can't be a good thing. What 
if I want to move from OpenLDAP to some other server?