[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3

--On Wednesday, February 14, 2007 12:24 AM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Alex Samad wrote:
On Tue, Feb 13, 2007 at 06:50:02PM +0100, Pierangelo Masarati wrote:
Turbo Fredriksson wrote:

I'm not quite sure how it is SUPPOSED to work, but from
my view, it's broken - ACI's don't work with re23 which is a
stable release... ? Using ACI's, I have to access to create
objects - that's what I see any way...
Well, nobody knows how it's supposed to work, since the expected
behavior is undocumented.


Is there any doco on this, I don't know anything about it, could your
provide a pointer to some info.

Browse <http://www.openldap.org/faq/data/cache/1284.html> in general for OpenLDA access control customization capabilities, and <http://www.openldap.org/faq/data/cache/758.html> for more details about ACIs. Note, that document is pretty old; something changed across time (which caused this thread, BTW). ACIs need to be documented; our reluctance also stems from the consideration that good documentation would encourage rather than discourage their use... anyway, volunteers are welcome.

I am presume this is a way of apply acl's to objects ?

Yes (experimental, deprecated and discouraged).

I think this is the very important part here -- deprecated and discouraged. I'd argue that long term, ACI support should be removed entirely (perhaps for 2.5?). The entire concept of ACI's is broken.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html