[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: dynamic ACLs

To: "Howard Chu" <hyc@highlandsun.com>, "Dane Foster" <dfoster@equitytg.com>, <openldap-software@OpenLDAP.org>
Subject: RE: dynamic ACLs
From: "Kevin J. McCarthy" <kevin@kogz.com>
Date: Sun, 9 Sep 2001 10:20:58 -0500
Content-class: urn:content-classes:message
Thread-index: AcE46PC2T4DVvC8jRA20NNc7CnNrSQAV/xVw
Thread-topic: dynamic ACLs
I do not see dynamic ACL and dynamically controlled group memberships as
equal,
ESPECIALLY since there is no nesting of groups.

I do see inheritable (and well documented) ACI's being functionally
equivalent to dynamic ACLS. Howver, neither of those is equivalent to
what we have today.

This is a short list of things that can not be done on the fly:

If a new object is created that needs distinct rights, too bad.
If a new group is created that requires distinct rights, too bad.
If new schema attributes are added that require rights defintions, too
bad.
If any change occurs to the schema that alters existing definitions, too
bad.
If you want to replicate access controls through slurpd, too bad.
If you want to delegate who has access to access controls, too bad.
If you want to use the LDAP API to change rights, too bad.
If you are not given root access to EACH AND EVERY openldap server, too
bad.
If you want to make any of the above changes and not kill all your
sockets, too bad.

These are the types of functions that I need. I get frustrated by the
status quo being "well, we like what we have since it does what we
need." This is not my case, but unfortuantely I can't code C.

I think making a signal to reload slapd.conf on the fly would be a great
improvement. Even for something as simple as changing log levels; I
usually disable logging during normal operations. To debug, I need to
restart slapd, restart qmail-ldap, restart courier-imap, etc., just to
enable logging. THen, to diable....

Kevin


-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Saturday, September 08, 2001 11:32 PM
To: Dane Foster; openldap-software@OpenLDAP.org
Subject: RE: dynamic ACLs


Some offhand comments...

There is of course interest in implementing dynamic ACLs. Search through
the
archives for "ACI" and you should find plenty of discussion on the
topic, as
well as the current state of that code.

I personally grew up on systems that supported ACLs and I'm very
comfortable
using them, but I don't see any actual *need* for them. You can achieve
pretty
good dynamic access control by defining a good set of static rules and
assigning
privileges to groups - your dynamic control arises from dynamically
controlling
the group memberships. Algebraically the two approaches are equivalent.

>From a convenience perspective I see the current static ACL situation as
a
flaw,
but from a security perspective I don't think it's so bad. In fact I
think
it's
a security advantage - if you have an environment where access control
is
changed
so frequently that dynamic definition is an absolute requirement, then
in my
opinion you're wasting your time because your system is no longer secure
to
begin with. One distinct advantage of defining all ACLs in a static file
is
that
it is feasible, pretty much trivial, to audit the security of your
directory, and
analyze who has access to what. It becomes more and more difficult to
perform
this kind of audit and analysis as you distribute the access control
information
and delegate the access control administration.

>From another perspective - an LDAP directory is not a filesystem - it is
not
intended for general storage of both private and shared material. By and
large, the reason
you store things in an LDAP directory is to share them. As such, if you
find
yourself
needing all of the security flexibility that you're accustomed to in a
filesystem
context, I believe you're misusing the technology.

Obviously this is all my personal opinion. From a perspective of design
elegance,
it makes sense to me that the access control information should be
distributed and
as easily accessible and manageable as the actual data objects. This is
a
feature
of the original X.500 spec as well, and it's logical to support it. But
when
you
leave the abstract world of design and get into the harsh reality of
implementation,
perspectives change, and what seemed like a good idea at first turns out
to
have
many unforeseen complexities and drawbacks. There are performance
issues,
security
issues, etc. etc. etc...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dane Foster
> Sent: Saturday, September 08, 2001 4:59 PM
> To: openldap-software@OpenLDAP.org
> Subject: dynamic ACLs
>
>
> Hello all.  I'm new to the OpenLDAP list (subscribed today) and
> new to LDAP
> in general.  I'm currently involved in projects that require the
> implementation of a directory service.  After doing massive amounts of
> reading I believe I have a half-way decent idea of what LDAP is and
more
> importantly how it can and will fit into the projects that we (my
> employer)
> are involved in.  After much web-surfing/research I have concluded
that
> OpenLDAP is my best option for satisfying our directory requirements.
The
> primary reason for OpenLDAP's selection is it has the best
> price/performance
> (its free and stable) ratio of any LDAP implementation that I
researched.
> That being said, there is one major shortcoming that I found in
OpenLDAP
> that directly affects our directory service; you cannot do on the fly
ACL
> additions or modifications.  As part of my research I dug into
LDAP.org's
> mailing list archives.  What I couldn't find in the archives was any
> concrete direction regarding implementing a more dynamic ACL
architecture.
> Unfortunately, I'm not a C programmer (I do Java) so I'm unable to
> contribute via C code.  It seems that if I, or anyone for that
> matter, want
> dynamic ACL in OpenLDAP, it will have to happen at the application
level
> instead of in OpenLDAP.
> Due to the needs of an extranet application I'm involved in
> dynamic ACL is a
> must.  I'm currently thinking about creating a lightweight Java
> library that
> I will be able to drop into any -java-application that need dynamic
ACL
> capability.  This brings me to the core reason for posting this
message, I
> would like to know if there are other java developers on this
> list who need
> the same or similar functionality and would like to _informally_
> participate
> in developing such a library?  Please note the emphasis on
> informal.  I have
> no interest in incurring the overhead of a full-blown project for two
> reasons (1) I don't have the time because my hands are full and
> (2) I don't
> think the solution requires it.  If no one is interested that is fine
with
> me but at a minimum I hope to inspire discussion on how to
> satisfy the need
> for dynamic ACL capability in OpenLDAP.
>
> Thanx for reading :-)
>
> Dane Foster
> Equity Technology Group, Inc
> http://www.equitytg.com.
> 954.360.9800
>
Follow-Ups:
- Re: dynamic ACLs
  - From: Michael Ströder <michael@stroeder.com>
- RE: dynamic ACLs
  - From: "Howard Chu" <hyc@highlandsun.com>
Prev by Date: memory leak with 1.2.11
Next by Date: Re: dynamic ACLs
Index(es):
- Chronological
- Thread