[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-config again

--On Sunday, March 28, 2004 9:09 PM -0800 Howard Chu <hyc@highlandsun.com> wrote:

While we're thinking about ACLs, it would make sense to structure them
hierarchically instead of in a flat list. The current structure is a bit
silly if you have 40 different non-intersecting dn.subtree rules, because
they all still have to be checked even though maybe only one of them
applies. If ACLs were structured in a way that paralleled the actual
hierarchy of the DIT, a lot of extraneous checks could be eliminated.

Of course, if you're going to duplicate the DIT's hierarchical layout
anyway, you might as well just merge the ACLs into the DIT itself. Oh
wait, that's an ACI. Hm, what does *that* mean, I wonder....

Following any of these suggested changes to their logical *conclusion*
means making a lot of far-reaching, fundamental changes to the structure
of the server. For the moment, I'm content with only going one or two
steps down each path, and not pursuing them to their ultimate conclusion.

Hm, excellent points. The main problem I have with ACI's is that we don't really have per-entry ACL's, but per subtree ACL's (which I know are now supported). That currently is about 8 pages of ACL's, almost all in a single subtree (our person tree). One of the things I would like to test is putting the ACL's in as ACI's and seeing how the server does (once syncrepl works, this'll be my next test. ;) ). My concern of course, is that what we are doing is not really represented well in ACI format.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html