--On Monday, March 22, 2010 12:41 PM +0000 kean.johnston(a)gmail.com wrote:
> Authorization is the job of the ACL engine. Putting ad-hoc rules
> user entries is, in a word, stupid. It's also unscaleable and will
> become an administration nightmare.
Well OK then. Using a configuration mechanism like ACL's that cannot be
distributed to multiple users (like editing a directory can) is, in a
word, stupid. It is also unscaleable and will become an administration
nightmare. And authorisation is not (or SHOULD not be) the job of ACL's
its the job of authorisation modules, which nssov is.
Being forced to give admins who simply want to be able to change access
to a random host in a centralised server root access to what may be a
critical server with other sensitive data on it is simply wrong.
As already noted, there is no need to give root access to admins. My guess
is you really do not understand how ACLs work. I would advise carefully
reading the slapd-access(5) man page.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration