[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?

Daniel Tröder wrote:
> The product is not new, but exists for some years now
> (https://www.univention.com/products/ucsschool/). It is completely
> open source and free as in beer (except support ofc).
> The LDAP tree is replicated from the master to >=1 LDAP slave per
> school. All of a schools LDAP objects are in a ou=.. subtree.
> For security reasons the replication to the LDAP servers in the school
> slaves is "selective": only global (above ou=..) objects and their own
> OU subtree is replicated to each slave. With the exception of user
> objects, which can "belong" to multiple schools (OUs) by having them
> listed in a "school" attribute (and their groups as well). The ACLs
> are written so that user objects and their references (groups) can
> also be replicated to those "additional" OUs.

Frankly I fail to understand how you securely handle cross-OU references
and partial replication of OUs.

The other stuff pretty much sounds like what Æ-DIR is implementing with
set-based ACLs (replace your "school/OU" by Æ-DIR's zone).

But as said: Sets are really slow. I'm curious to hear whether your
dynacl module is faster than an equivalent set-based ACL approach.

Ciao, Michael.