[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: dynamic ACLs

To: "Dane Foster" <dfoster@equitytg.com>, <openldap-software@OpenLDAP.org>
Subject: RE: dynamic ACLs
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 8 Sep 2001 21:31:54 -0700
Importance: Normal
In-reply-to: <004801c138c2$3dd33fb0$1000a8c0@STATION1>

Some offhand comments...

There is of course interest in implementing dynamic ACLs. Search through the
archives for "ACI" and you should find plenty of discussion on the topic, as
well as the current state of that code.

I personally grew up on systems that supported ACLs and I'm very comfortable
using them, but I don't see any actual *need* for them. You can achieve
pretty
good dynamic access control by defining a good set of static rules and
assigning
privileges to groups - your dynamic control arises from dynamically
controlling
the group memberships. Algebraically the two approaches are equivalent.

>From a convenience perspective I see the current static ACL situation as a
flaw,
but from a security perspective I don't think it's so bad. In fact I think
it's
a security advantage - if you have an environment where access control is
changed
so frequently that dynamic definition is an absolute requirement, then in my
opinion you're wasting your time because your system is no longer secure to
begin with. One distinct advantage of defining all ACLs in a static file is
that
it is feasible, pretty much trivial, to audit the security of your
directory, and
analyze who has access to what. It becomes more and more difficult to
perform
this kind of audit and analysis as you distribute the access control
information
and delegate the access control administration.

>From another perspective - an LDAP directory is not a filesystem - it is not
intended for general storage of both private and shared material. By and
large, the reason
you store things in an LDAP directory is to share them. As such, if you find
yourself
needing all of the security flexibility that you're accustomed to in a
filesystem
context, I believe you're misusing the technology.

Obviously this is all my personal opinion. From a perspective of design
elegance,
it makes sense to me that the access control information should be
distributed and
as easily accessible and manageable as the actual data objects. This is a
feature
of the original X.500 spec as well, and it's logical to support it. But when
you
leave the abstract world of design and get into the harsh reality of
implementation,
perspectives change, and what seemed like a good idea at first turns out to
have
many unforeseen complexities and drawbacks. There are performance issues,
security
issues, etc. etc. etc...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dane Foster
> Sent: Saturday, September 08, 2001 4:59 PM
> To: openldap-software@OpenLDAP.org
> Subject: dynamic ACLs
>
>
> Hello all.  I'm new to the OpenLDAP list (subscribed today) and
> new to LDAP
> in general.  I'm currently involved in projects that require the
> implementation of a directory service.  After doing massive amounts of
> reading I believe I have a half-way decent idea of what LDAP is and more
> importantly how it can and will fit into the projects that we (my
> employer)
> are involved in.  After much web-surfing/research I have concluded that
> OpenLDAP is my best option for satisfying our directory requirements.  The
> primary reason for OpenLDAP's selection is it has the best
> price/performance
> (its free and stable) ratio of any LDAP implementation that I researched.
> That being said, there is one major shortcoming that I found in OpenLDAP
> that directly affects our directory service; you cannot do on the fly ACL
> additions or modifications.  As part of my research I dug into LDAP.org's
> mailing list archives.  What I couldn't find in the archives was any
> concrete direction regarding implementing a more dynamic ACL architecture.
> Unfortunately, I'm not a C programmer (I do Java) so I'm unable to
> contribute via C code.  It seems that if I, or anyone for that
> matter, want
> dynamic ACL in OpenLDAP, it will have to happen at the application level
> instead of in OpenLDAP.
> Due to the needs of an extranet application I'm involved in
> dynamic ACL is a
> must.  I'm currently thinking about creating a lightweight Java
> library that
> I will be able to drop into any -java-application that need dynamic ACL
> capability.  This brings me to the core reason for posting this message, I
> would like to know if there are other java developers on this
> list who need
> the same or similar functionality and would like to _informally_
> participate
> in developing such a library?  Please note the emphasis on
> informal.  I have
> no interest in incurring the overhead of a full-blown project for two
> reasons (1) I don't have the time because my hands are full and
> (2) I don't
> think the solution requires it.  If no one is interested that is fine with
> me but at a minimum I hope to inspire discussion on how to
> satisfy the need
> for dynamic ACL capability in OpenLDAP.
>
> Thanx for reading :-)
>
> Dane Foster
> Equity Technology Group, Inc
> http://www.equitytg.com.
> 954.360.9800
>

Follow-Ups:
- Re: dynamic ACLs
  - From: Stig Venaas <Stig@OpenLDAP.org>
- Re: dynamic ACLs
  - From: "Dane Foster" <dfoster@equitytg.com>

References:
- dynamic ACLs
  - From: "Dane Foster" <dfoster@equitytg.com>

Prev by Date: Re: is the default schema valid?
Next by Date: Re: dynamic ACLs
Index(es):
- Chronological
- Thread