[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3, rfc ?

Quoting Pierangelo Masarati <ando@sys-net.it>:

> Finally, right now access control on OpenLDAP's slapd can be
> modified without the need to stop and restart it, by means of
> cn=config;

Sounds cool. I'll have a look at it. But I gather that is just
ACL's in the database?

And the very consept of ACL is worse than whatever you can think
of regarding ACI's.  If I want to give ONE user access to ONE
attribute in ONE object (and many such rules), then ACLs would
very quickly become ... unmanagable. With ACI's its very obvious
and simple...

> there is work in progress to allow configuration
> replication.  As such, OpenLDAP offers better means to achieve the
> same purpose without ACIs, with the access determinism guaranteed by
> avoiding the use of ACIs.

I argue against the word 'same'. But the meaning of the exact word
I guess you're right, I'd say just _a lot_ more complicated/unmanagable
in the long run...