[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?

To: Romain Komorn <rkomorn@dofc.org>
Subject: Re: Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Mon, 5 Nov 2007 15:23:21 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <20071105095848.D1412@certainty.dofc.org>
References: <20071105095848.D1412@certainty.dofc.org>

explicitly allowed by the directory. IMO, a client server being able to pick who should be allowed to log on defeats the purpose of centrally managed logins.

The principle of least access is a good one, and it's certainly valid to make sure that servers don't see more than they need to. But be wary of this influencing an ability to "pick who should be allowed." I'd claim that anybody that controls a server to the point where which entries are shown by the LDAP server are the effective limiting factor controls that server to the point where server-side vs. client-side filtering is the least of your worries.

To put it another way:
Filtering '(memberOf=magicRootPeople)' on client:/etc/ldap.conf,
 or filtering '(memberOf=magicRootPeople)' with an OpenLDAP ACL,
 is utterly irrelevant when somebody can ed /etc/nsswitch.conf and change
	it to "files."

Of course there's something to be said for onion layers and all that, and restricting visibility can be desirable for numerous reasons. But stopping you from

References:
- Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?
  - From: Romain Komorn <rkomorn@dofc.org>

Prev by Date: Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?
Next by Date: Re: Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?
Index(es):
- Chronological
- Thread