[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control development and cn=config



Lon Tierney wrote:

However, another approach would be move our slapd.conf(5)-based
access control directives (and everything else) out of a file
and into the directory. This seems like a fairly pragmatic
approach.



The other approach mentioned was to use a Policy Server. This is the
approach that we (my employer) are taking for our product. My guess is
that it will support some standard, like oh, maybe XACML.
It would be nice if OpenLDAP used an interface for an authorization
plugin. The initial implementation could read the ACIs out of the conf
file, but future implementers could decide to use an off-the-shelf Policy
Server. Or, one could define the policy in the LDAP itself and the plugin
would just read from the server database... Then the changes could be made
via LDAP calls, but would become active when they are read...
-lon


We had plans to make such a presentation during the sfo meeting but it got
cancelled. Check out http://www.umu.se/it/projupp/spocp. There is an unofficial
patch to have openldap make authorization requests to this policy server. Spocp
has a native protocol but also supports SAML. Roland Hedberg (roland@catalogix.se)
is the developper. You should talk to him.


      Cheers Leif