[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: dynamic ACLs

> -----Original Message-----
> From: Stig Venaas [mailto:Stig@OpenLDAP.org]

> Yes, this works pretty well. What I miss the most perhaps is a way to
> change the rules in slapd.conf without restarting the server. It would
> be neat if slapd could use a signal to tell it to reread slapd.conf, at
> least the ACLs. I suppose I can implement it if I really want it... I
> suspect there might be some issues regarding how updated rules should
> affect existing connections.
> Another idea that popped into my head was to store the ACLs we use today
> in the directory and have dynamic update of those. This is not that much
> more complex than the first idea.
> I'm not sure if it's worth to pursue this, or if should rather go
> straight for the full blown ACI solution.

I've toyed with this idea myself for a while - a backend that is an
to slapd.conf, so that it presents clauses in the config file as objects in
the DIT. Modifying attributes/entries in this backend would rewrite the file
and invoke the parser on the modified clause. As I see it, there's no
reason why slapd cannot have dynamically modified schema, acls, anything
once you provide dynamic access to the parsing routines.

There are some confusing issues here though; if you allow backends to be
and removed, various other attributes that maybe shouldn't be messed with...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc