[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3



> I think this is the very important part here -- deprecated and discouraged.
> I'd argue that long term, ACI support should be removed entirely (perhaps for
> 2.5?).  The entire concept of ACI's is broken.
> 

Is it really so bad? I mean, I actually don't now, you're probably
right if you say so, anyway I'd really regret such feature to be
discontinued. I was testing it very long ago, and, nevertheless its
complexity and its experimental flavour, the concept itself 
was very exciting. I was hoping someday this will be implemented
in tested/documented and stable version. Dynamic ACL would be
probably really useful thing. Anyway the actual implementation
is another point, maybe ACI's is not really best of possible,
I don't know. Commercial directory service implementation
does have such feature or not? I bet they have. Maybe some
concept based on special-kind db like cn=config, or cn=Monitor
should do the work better than keeping dynacl with the entries
themselves? 
Actually, regarding - conceptually - unix/posix standard, if we compare 
ldap entries simply to a "virtual files" (note the "file" original meaning),
isn't it somekind of "dynamic acl", the way classic Unix file
priviledges are stored? there are some bits describing priviledges
and ownerships, which are actually stored _with_ files, aren't they?
Imagine that someone could say, that "the entire priviledges and 
ownerships concept in Unix is broken", wouldn't that sound a little
bit em. weird? :) Of course, there are concept limitations we
all know, and there are better or worse workarounds for them, actually
hundreds of extended acl things for various local and network
filesystems, anyway, despite limitations, what could do the work
better than such (actually simple in its basics) concept ?
Back to the ACIs - is it to be discontinued, because people like
me didn't test it enough, and didn't provide enough of feedback? :)
This would make me sad :/
Regards,
Piotr