[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6487) Nssov pam_authz authorizedUserService

Kean Johnston wrote:
>> This patch was rejected. The functionality it offered was already
>> provided by the slapd ACL engine.
> Could I ask you to reconsider your position on using ACL's? Using ACL's for
> this kind of thing is a little bit like asking the security guard that
> makes your entry badge also be in charge of all of your HR data and
> documents. I understand the ACL engine may be quick but it completely
> defeats the purpose of having a centralised directory.

No, doing anything else defeats that purpose.

> What if I want
> directory administrators to be able to edit host permissions but I don't
> want them to have root so they can edit slapd.conf or change the SLAPD
> configuration?

So let them edit the host permissions. Delegate the privileges to groups, and 
give them write access to their respective groups.

> what if I cant even use the modern configuration because
> overlays I want to use don't support it and I am forced to use slapd.conf?

Irrelevant. Using slapd.conf doesn't preclude delegation of privileges or 
dynamic updates to privilege memberships.

> It also moves away from the model of having data about the host in one dn:
> cn=host,dc=example,dc=com entry to now having pretty vital information
> about the host moved completely out of the directory itself and into the
> directory server's configuration. That surely can't be a good thing.

On the contrary - for security management, it's the BEST thing. Keeping your 
authorization rules scattered across the data space not only makes it harder 
to administer, it also makes it easier to subvert. Keeping it all isolated in 
a single administrative space negates both of those problems.

The key to scalable security is centralized control with distributed access, 
not distributed control. The more widely you distribute the actual points of 
control, the more likely you are to make a mistake and open a hole between the 

> What if I want to move from OpenLDAP to some other server?

Then you probably should be using nss-pam-ldapd, and not nssov.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/