[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: dynamic ACLs

I do not see dynamic ACL and dynamically controlled group memberships as
ESPECIALLY since there is no nesting of groups.

I do see inheritable (and well documented) ACI's being functionally
equivalent to dynamic ACLS. Howver, neither of those is equivalent to
what we have today.

This is a short list of things that can not be done on the fly:

If a new object is created that needs distinct rights, too bad.
If a new group is created that requires distinct rights, too bad.
If new schema attributes are added that require rights defintions, too
If any change occurs to the schema that alters existing definitions, too
If you want to replicate access controls through slurpd, too bad.
If you want to delegate who has access to access controls, too bad.
If you want to use the LDAP API to change rights, too bad.
If you are not given root access to EACH AND EVERY openldap server, too
If you want to make any of the above changes and not kill all your
sockets, too bad.

These are the types of functions that I need. I get frustrated by the
status quo being "well, we like what we have since it does what we
need." This is not my case, but unfortuantely I can't code C.

I think making a signal to reload slapd.conf on the fly would be a great
improvement. Even for something as simple as changing log levels; I
usually disable logging during normal operations. To debug, I need to
restart slapd, restart qmail-ldap, restart courier-imap, etc., just to
enable logging. THen, to diable....


-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Saturday, September 08, 2001 11:32 PM
To: Dane Foster; openldap-software@OpenLDAP.org
Subject: RE: dynamic ACLs

Some offhand comments...

There is of course interest in implementing dynamic ACLs. Search through
archives for "ACI" and you should find plenty of discussion on the
topic, as
well as the current state of that code.

I personally grew up on systems that supported ACLs and I'm very
using them, but I don't see any actual *need* for them. You can achieve
good dynamic access control by defining a good set of static rules and
privileges to groups - your dynamic control arises from dynamically
the group memberships. Algebraically the two approaches are equivalent.

>From a convenience perspective I see the current static ACL situation as
but from a security perspective I don't think it's so bad. In fact I
a security advantage - if you have an environment where access control
so frequently that dynamic definition is an absolute requirement, then
in my
opinion you're wasting your time because your system is no longer secure
begin with. One distinct advantage of defining all ACLs in a static file
it is feasible, pretty much trivial, to audit the security of your
directory, and
analyze who has access to what. It becomes more and more difficult to
this kind of audit and analysis as you distribute the access control
and delegate the access control administration.

>From another perspective - an LDAP directory is not a filesystem - it is
intended for general storage of both private and shared material. By and
large, the reason
you store things in an LDAP directory is to share them. As such, if you
needing all of the security flexibility that you're accustomed to in a
context, I believe you're misusing the technology.

Obviously this is all my personal opinion. From a perspective of design
it makes sense to me that the access control information should be
distributed and
as easily accessible and manageable as the actual data objects. This is
of the original X.500 spec as well, and it's logical to support it. But
leave the abstract world of design and get into the harsh reality of
perspectives change, and what seemed like a good idea at first turns out
many unforeseen complexities and drawbacks. There are performance
issues, etc. etc. etc...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dane Foster
> Sent: Saturday, September 08, 2001 4:59 PM
> To: openldap-software@OpenLDAP.org
> Subject: dynamic ACLs
> Hello all.  I'm new to the OpenLDAP list (subscribed today) and
> new to LDAP
> in general.  I'm currently involved in projects that require the
> implementation of a directory service.  After doing massive amounts of
> reading I believe I have a half-way decent idea of what LDAP is and
> importantly how it can and will fit into the projects that we (my
> employer)
> are involved in.  After much web-surfing/research I have concluded
> OpenLDAP is my best option for satisfying our directory requirements.
> primary reason for OpenLDAP's selection is it has the best
> price/performance
> (its free and stable) ratio of any LDAP implementation that I
> That being said, there is one major shortcoming that I found in
> that directly affects our directory service; you cannot do on the fly
> additions or modifications.  As part of my research I dug into
> mailing list archives.  What I couldn't find in the archives was any
> concrete direction regarding implementing a more dynamic ACL
> Unfortunately, I'm not a C programmer (I do Java) so I'm unable to
> contribute via C code.  It seems that if I, or anyone for that
> matter, want
> dynamic ACL in OpenLDAP, it will have to happen at the application
> instead of in OpenLDAP.
> Due to the needs of an extranet application I'm involved in
> dynamic ACL is a
> must.  I'm currently thinking about creating a lightweight Java
> library that
> I will be able to drop into any -java-application that need dynamic
> capability.  This brings me to the core reason for posting this
message, I
> would like to know if there are other java developers on this
> list who need
> the same or similar functionality and would like to _informally_
> participate
> in developing such a library?  Please note the emphasis on
> informal.  I have
> no interest in incurring the overhead of a full-blown project for two
> reasons (1) I don't have the time because my hands are full and
> (2) I don't
> think the solution requires it.  If no one is interested that is fine
> me but at a minimum I hope to inspire discussion on how to
> satisfy the need
> for dynamic ACL capability in OpenLDAP.
> Thanx for reading :-)
> Dane Foster
> Equity Technology Group, Inc
> http://www.equitytg.com.
> 954.360.9800