[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema change for olcAccess rules.

Perhaps this is more of a development question than a usage question, but I thought this would be a decent forum to see if the idea gets any feedback (positive or negative).

I don't know how much others manipulate their olcAccess, or even if most people just maintain them in slapd.conf and restart slapd when necessary. I'm treating olcAccess entries more or less like firewall rules, adding and removing on the fly, thanks to the olcAccess attributes in backend DB definitions.

To me, it would seem a lot more convenient if the olcAccess in the backend DB definition pointed to a objectClass groupOfOlcAccess (for lack fo a better term). Each entry would have a single <what> attribute, and multiple "<who> <access>" attributes. For example (in incorrect pseudo-LDIF format):

dn: olcDatabase={1}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcAccessList: ou=bdb1OlcAccessList


dn: ou=bdb1OlcAccessList
ou: bdb1OlcAccessList
objectClass: groupOfOlcAccess


dn: cn=olc1,ou=bdb1OlcAccess
cn: olc1
objectClass: olcAccess
what: ou=people,dc=domain
whoaccess: {1}group="cn=readgroup,dc=domain" read
whoaccess: {2}cn="ldapadmin,dc=domain" write
whoaccess: {3}* none


Obviously, how useful this kind of change would be depends on how often people update their ACLs. In my case, I can see it happening often enough that I'd prefer to add/delete cn's or "whoaccess" attributes, rather than editing olcAccess attributes in the backend config. I'd want the backend config to be fairly static, as opposed to the ACLs in my environment which would be fairly dynamic.

Feel free to tell me it's a terrible idea. I may not know enough background information about how slapd works and how this type of schema change would affect performance.

Romain Komorn