[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config

At 02:20 PM 3/24/2003, Lon Tierney wrote:
>> However, another approach would be move our slapd.conf(5)-based
>> access control directives (and everything else) out of a file
>> and into the directory.  This seems like a fairly pragmatic
>> approach.
>The other approach mentioned was to use a Policy Server. This is the
>approach that we (my employer) are taking for our product. My guess is
>that it will support some standard, like oh, maybe XACML.
>It would be nice if OpenLDAP used an interface for an authorization
>plugin. The initial implementation could read the ACIs out of the conf
>file, but future implementers could decide to use an off-the-shelf Policy
>Server. Or, one could define the policy in the LDAP itself and the plugin
>would just read from the server database... Then the changes could be made
>via LDAP calls, but would become active when they are read...

Roland actually is doing work in this area (using SPOCP).  He
didn't create an access control plugin interface but its a
logical next step.