Re: Access control config revisited

[Adam Williams <awilliam@whitemice.org>]

> > Sorry I wasn't very clear.  I got the terms from the OpenLDAP
> > Admin User Guide 2.1 chapter 1.2.  I'm starting from the very
> > beginning.
> I was weaned on the X.500 style with CN, OU, O, C because that's what

Same here.  All the big-thick-print books used the X.500 style.

> Novell used for NDS - but by the time I started with Openldap I'd long
> become an Internet DNS person and found the Internet naming system with
> CN, UID, OU, O, DC etc to have wider application. For example, to take
> an X.500 DN ending with C=US is o.k., but if you want to map a group of
> directories for American universities, it'd be easier to have the last
> component as DC=EDU. Similarly, a group of directories British
> universities would end in DC=AC,DC=UK.

There are some serious advantages to ..dc=,dc= DN naming.
1. Server autolocation using DNS SRV records, minimizes client
configuration.
2. Automated referrals, also uses DNS SRV records.
3. Your DN's more closely resemble your Kerberos principles and realms. 
Not critical, but thats one less string to allocate brain cells for.
4. Active directory used the "dc" style, and eventually you'll probably
at least have to chat with one of those.

Our DNs are X.500 style, just because that was how it was done at the
time and we've had a directory for a long time now (OpenLDAP 1.2.4 if I
recall correctly).  But of course, with back-meta, it isn't really a
problem to have both!


> > I have also looked at the O'Reilly book but the whole chapter
> > just on ACLs is not there.
> An awful lot of people would welcome comprehensive docs on Openldap
> ACLs.

I think the FAQ-O-Matic (an underused resource IMHO) has the best ACL
documentation.  And if you've configured firewall rules, router ACLs,
etc... OpenLDAP ACLs aren't really that much of a leap.
http://www.openldap.org/faq/data/cache/189.html