[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3, rfc ?

Piotr Wadas wrote:
Regarding "broken ACI concept" - does any rfc
speaks something about concept of dynamically assigned priviledges to ldap directory entries? Or does it recommend avoiding
such policies?

AFAIK, nothing made it into an RFC; what OpenLDAP's ACIs are (loosely) based on is <draft-ietf-ldapext-aci-model-0.3.txt>. Other implementors do have ACIs and, in some cases, they're the preferred means to control access. This doesn't mean ACIs has to be the preferred implementation of access control.

IMHO, the most appealing feature of ACIs is the fact that in principle access rules get replicated along with data. However, the lack of a standard defeats this purpose when getting to cross-implementation replication, migration and so. Moreover, one might want to have different access rules for different shadows of the same database. Finally, right now access control on OpenLDAP's slapd can be modified without the need to stop and restart it, by means of cn=config; there is work in progress to allow configuration replication. As such, OpenLDAP offers better means to achieve the same purpose without ACIs, with the access determinism guaranteed by avoiding the use of ACIs.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it