[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config

> However, another approach would be move our slapd.conf(5)-based
> access control directives (and everything else) out of a file
> and into the directory.  This seems like a fairly pragmatic
> approach.

The other approach mentioned was to use a Policy Server. This is the
approach that we (my employer) are taking for our product. My guess is
that it will support some standard, like oh, maybe XACML.
It would be nice if OpenLDAP used an interface for an authorization
plugin. The initial implementation could read the ACIs out of the conf
file, but future implementers could decide to use an off-the-shelf Policy
Server. Or, one could define the policy in the LDAP itself and the plugin
would just read from the server database... Then the changes could be made
via LDAP calls, but would become active when they are read...