[Date Prev][Date Next]
Re: role based authorization -> dynacl module?
On 04/25/2018 11:58 AM, Michael Ströder wrote:
> Daniel Tröder wrote:
>> The product is not new, but exists for some years now
>> (https://www.univention.com/products/ucsschool/). It is completely
>> open source and free as in beer (except support ofc).
>> The LDAP tree is replicated from the master to >=1 LDAP slave per
>> school. All of a schools LDAP objects are in a ou=.. subtree.
>> For security reasons the replication to the LDAP servers in the school
>> slaves is "selective": only global (above ou=..) objects and their own
>> OU subtree is replicated to each slave. With the exception of user
>> objects, which can "belong" to multiple schools (OUs) by having them
>> listed in a "school" attribute (and their groups as well). The ACLs
>> are written so that user objects and their references (groups) can
>> also be replicated to those "additional" OUs.
> Frankly I fail to understand how you securely handle cross-OU references
> and partial replication of OUs.
Fun like this:
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern
access to filter="objectClass=ucsschoolStudent"
by set="this/ucsschoolSchool &
by * +0 break
root@m65:/etc/ldap# grep 'access to' slapd.conf | wc -l
root@m65:/etc/ldap# grep 'by set' slapd.conf | wc -l
> The other stuff pretty much sounds like what Æ-DIR is implementing with
> set-based ACLs (replace your "school/OU" by Æ-DIR's zone).
Yes - I'm very intrigued by Æ-DIR!
> But as said: Sets are really slow. I'm curious to hear whether your
> dynacl module is faster than an equivalent set-based ACL approach.
Yes... we have customers with >100.000 objects and when a query has to
many constraints it can take several minutes to complete. We are now
trying to get the dynacl module to replace as much set-ACLs as possible
and comparing query speed. For now the motto is "not be slower" :) while
gaining simplicity and extensibility. I'll keep you posted, and ofc
it'll be open source :)