[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config

To: "Lon Tierney" <ltierney@mykungfuisthebest.net>
Subject: Re: Access Control development and cn=config
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 24 Mar 2003 19:15:42 -0800
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <33206.64.94.142.144.1048544452.squirrel@webmail.mykungfuis thebest.net>
References: <5.2.0.9.0.20030323104418.01a39008@127.0.0.1> <5.2.0.9.0.20030323104418.01a39008@127.0.0.1>

At 02:20 PM 3/24/2003, Lon Tierney wrote:
>> However, another approach would be move our slapd.conf(5)-based
>> access control directives (and everything else) out of a file
>> and into the directory.  This seems like a fairly pragmatic
>> approach.
>
>The other approach mentioned was to use a Policy Server. This is the
>approach that we (my employer) are taking for our product. My guess is
>that it will support some standard, like oh, maybe XACML.
>It would be nice if OpenLDAP used an interface for an authorization
>plugin. The initial implementation could read the ACIs out of the conf
>file, but future implementers could decide to use an off-the-shelf Policy
>Server. Or, one could define the policy in the LDAP itself and the plugin
>would just read from the server database... Then the changes could be made
>via LDAP calls, but would become active when they are read...
>-lon

Roland actually is doing work in this area (using SPOCP).  He
didn't create an access control plugin interface but its a
logical next step.

Kurt

References:
- Access Control development and cn=config
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Access Control development and cn=config
Next by Date: Re: Access Control development and cn=config
Index(es):
- Chronological
- Thread