[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Atomicity of on-the-fly updates of ACL entries (using ldapmodify)?

Romain Komorn wrote:
How atomic are changes made to database entries with the following type of

dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {100}to <what> by <who> read
olcAccess: {65000}to <what> by <who> none

Does ldapmodify simply add/remove attributes on the fly, or does it get
the whole entry, then update a new one in? This may become significant
if there are a large number of ACLs. If the update is not atomic, is there
a potential for problems if the list of ACLs becomes large (ie: 200
<whats> with an average of 10 <whos> each) ?

By definition, all updates in LDAP are atomic.

Background: The aim here is to leverage nss_ldap and olcAccess entries to
manage access to servers while maintaining control of which accounts
appear on which servers via OpenLDAP, rather than filters on the client
side. This is to prevent servers that have been misconfigured or
(maliciously) modified from being able to gain read access to user
entries other than the ones explicitly allowed by the directory. IMO, a
client server being able to pick who should be allowed to log on defeats
the purpose of centrally managed logins.

Agreed, nss_ldap is a broken design.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/