[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynamic ACLs

On Sat, Sep 08, 2001 at 09:31:54PM -0700, Howard Chu wrote:
> I personally grew up on systems that supported ACLs and I'm very comfortable
> using them, but I don't see any actual *need* for them. You can achieve
> pretty
> good dynamic access control by defining a good set of static rules and
> assigning
> privileges to groups - your dynamic control arises from dynamically
> controlling
> the group memberships. Algebraically the two approaches are equivalent.

Yes, this works pretty well. What I miss the most perhaps is a way to
change the rules in slapd.conf without restarting the server. It would
be neat if slapd could use a signal to tell it to reread slapd.conf, at
least the ACLs. I suppose I can implement it if I really want it... I
suspect there might be some issues regarding how updated rules should
affect existing connections. 

Another idea that popped into my head was to store the ACLs we use today
in the directory and have dynamic update of those. This is not that much
more complex than the first idea.

I'm not sure if it's worth to pursue this, or if should rather go
straight for the full blown ACI solution.