[Date Prev][Date Next]
Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
--On Monday, March 22, 2010 12:41 PM +0000 firstname.lastname@example.org wrote:
>> Authorization is the job of the ACL engine. Putting ad-hoc rules into
>> user entries is, in a word, stupid. It's also unscaleable and will
>> become an administration nightmare.
> Well OK then. Using a configuration mechanism like ACL's that cannot be
> distributed to multiple users (like editing a directory can) is, in a
> word, stupid. It is also unscaleable and will become an administration
> nightmare. And authorisation is not (or SHOULD not be) the job of ACL's
> its the job of authorisation modules, which nssov is.
> Being forced to give admins who simply want to be able to change access
> to a random host in a centralised server root access to what may be a
> critical server with other sensitive data on it is simply wrong.
As already noted, there is no need to give root access to admins. My guess
is you really do not understand how ACLs work. I would advise carefully
reading the slapd-access(5) man page.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration