[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: dynamic ACLs
> -----Original Message-----
> From: Stig Venaas [mailto:Stig@OpenLDAP.org]
> Yes, this works pretty well. What I miss the most perhaps is a way to
> change the rules in slapd.conf without restarting the server. It would
> be neat if slapd could use a signal to tell it to reread slapd.conf, at
> least the ACLs. I suppose I can implement it if I really want it... I
> suspect there might be some issues regarding how updated rules should
> affect existing connections.
>
> Another idea that popped into my head was to store the ACLs we use today
> in the directory and have dynamic update of those. This is not that much
> more complex than the first idea.
>
> I'm not sure if it's worth to pursue this, or if should rather go
> straight for the full blown ACI solution.
I've toyed with this idea myself for a while - a backend that is an
interface
to slapd.conf, so that it presents clauses in the config file as objects in
the DIT. Modifying attributes/entries in this backend would rewrite the file
and invoke the parser on the modified clause. As I see it, there's no
technical
reason why slapd cannot have dynamically modified schema, acls, anything
else,
once you provide dynamic access to the parsing routines.
There are some confusing issues here though; if you allow backends to be
defined
and removed, various other attributes that maybe shouldn't be messed with...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc