[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: objectClass names in ACLs

To: "Thierry Lacoste" <lacoste@miage.univ-paris12.fr>
Subject: Re: objectClass names in ACLs
From: "Gavin Henry" <ghenry@suretecsystems.com>
Date: Sun, 19 Aug 2007 16:38:58 +0100 (BST)
Cc: openldap-software@openldap.org
Importance: Normal
In-reply-to: <200708190231.07098.lacoste@miage.univ-paris12.fr>
Openpgp: id=796B1E87DB73BEA8
References: <200708190231.07098.lacoste@miage.univ-paris12.fr>
User-agent: SquirrelMail/1.4.10a-1.fc6

<quote who="Thierry Lacoste">
> Hello,
>
> After careful testing I came up with explicit ACLs.
> For example I have:
>
> access to dn.one="ou=Groups,o=test"
>    attrs=entry,objectClass,gidNumber,cn,memberUid
>       by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
>       by * read
>
> access to dn.one="ou=Groups,o=test"
>    attrs=sambaSID,sambaGroupType,displayName
>       by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
>       by dn.exact="cn=sambamgr,ou=Managers,o=test" read
>       by * none
>
> Then I saw that I can use an objectClass name as a shorthand for all
> the attributes in the class. Here I could use:
>
> access to dn.one="ou=Groups,o=test"
>    attrs=entry,objectClass,posixGroup
>       by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
>       by * read
>
> access to dn.one="ou=Groups,o=test"
>    attrs=sambaGroupMapping
>       by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
>       by dn.exact="cn=sambamgr,ou=Managers,o=test" read
>       by * none
>
> I like the explicit form because it requires one to know exactly what
> is needed and it gives access to no more than that.
> Are there advantages to the short form (performance, readability,
> ease of maintenance and/or evolution)?

Hi,

Performance:

You can test both versions by putting on ACL logging on and watching the
logs or starting slapd with -d  and the correct level for ACLs (don't have
access to this number from here).

Readability:

Explicit version; again would indicate exactly what your intensions are.

Maintenance:

Depends on the level of knowledge the maintainer has.

>
> What about attributes like gidNumber which are in both classes?
> I guess that if I swap the two short ACLs I change the access to
> gidNumber.
> Am I right?
>
> With the short form should I protect expicitly attributes (like
> userPassword
> of posixGroup) which do not appear currently in my directory but may be
> added later?

To be honest, if you are using the dynamic configuration backend, you can
change all of these access levels on the fly, so don't waste to much time
worrying about it. Get it right first, have a dev/test/prod (or more)
environment etc. and go from there.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

References:
- objectClass names in ACLs
  - From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>

Prev by Date: Re: High availability
Next by Date: refint monitoring changes made to parent node?
Index(es):
- Chronological
- Thread