Piotr Wadas wrote:
Regarding "broken ACI concept" - does any rfc speaks something about concept of dynamically assigned priviledges to ldap directory entries? Or does it recommend avoiding such policies?
AFAIK, nothing made it into an RFC; what OpenLDAP's ACIs are (loosely) based on is <draft-ietf-ldapext-aci-model-0.3.txt>. Other implementors do have ACIs and, in some cases, they're the preferred means to control access. This doesn't mean ACIs has to be the preferred implementation of access control.
IMHO, the most appealing feature of ACIs is the fact that in principle access rules get replicated along with data. However, the lack of a standard defeats this purpose when getting to cross-implementation replication, migration and so. Moreover, one might want to have different access rules for different shadows of the same database. Finally, right now access control on OpenLDAP's slapd can be modified without the need to stop and restart it, by means of cn=config; there is work in progress to allow configuration replication. As such, OpenLDAP offers better means to achieve the same purpose without ACIs, with the access determinism guaranteed by avoiding the use of ACIs.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------