(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Category) More information about Access Control : (Answer) Two access control configuration methods
OpenLDAP 2.0 contains two methods for specifying access control. The first is static, i.e. you define the rights in configuration files. This approach is very much like the one in older versions of OpenLDAP and the slapd from the University of Michigan, so you may be at home with it soon. Two other advantages of this method is that it should be more efficient in most cases and that the rules, being static, cannot be changed by external means using LDAP so it should be more secure. The main point against this method from a security point of view is that access control does not travel with the data, so you have to make sure that all your replicas implement a consistent security policy: if you change the access controls on the master, you have to go modify all the slaves. From an operational point of view, the problem of this method is that needs a server restart at every ACL change.

The second method for access control inserts access control information inside the directory itself. The advantage is that now the access control rules get propagated by the replication process. Unfortunately, the standard for doing this in a way that is interoperable between servers of different vendors (this did not matter in the static config case) has not been finished and exists only as an Internet Draft (i.e. no RFC has been published and the specification might not even get enough consensus for an RFC to be published ever). OpenLDAP 2.0 implements only in part the proposed draft and will try to track changes to it. That means the access control information you so carefully defined in your directory now suddenly means something completely different from what you intended. For this reason, this method is not available by default and requires configuring with --enable-aci. In other words, we recommend not to use this method at present. Anyway, notice that the ACI model currently being considered may be difficult to implement as efficiently as the static method. Also notice that unauthorized access to the ACI information may permit attackers to gain additional permissions on the directory itself, so you will probably have to take extra care with the access rights you grant. See also (Xref) ACI.

[Append to This Answer]
Next: (Answer) Static configuration: general format
This document is: http://www.openldap.org/faq/index.cgi?file=448
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org