[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
From: quanah@zimbra.com
Date: Tue, 23 Mar 2010 04:01:59 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Monday, March 22, 2010 12:41 PM +0000 kean.johnston@gmail.com wrote:

>> Authorization is the job of the ACL engine. Putting ad-hoc rules into
>> user entries is, in a word, stupid. It's also unscaleable and will
>> become an administration nightmare.
> Well OK then. Using a configuration mechanism like ACL's that cannot be
> distributed to multiple users (like editing a directory can) is, in a
> word,  stupid. It is also unscaleable and will become an administration
> nightmare.  And authorisation is not (or SHOULD not be) the job of ACL's
> its the job of  authorisation modules, which nssov is.
>
> Being forced to give admins who simply want to be able to change access
> to  a random host in a centralised server root access to what may be a
> critical  server with other sensitive data on it is simply wrong.

As already noted, there is no need to give root access to admins.  My guess 
is you really do not understand how ACLs work.  I would advise carefully 
reading the slapd-access(5) man page.

Regards,
Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: Re: (ITS#6481) Asssert with acl-sets and referals
Next by Date: Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
Index(es):
- Chronological
- Thread