On 04/25/2018 11:58 AM, Michael Ströder wrote:
Daniel Tröder wrote:
> The product is not new, but exists for some years now
). It is completely
> open source and free as in beer (except support ofc).
> The LDAP tree is replicated from the master to >=1 LDAP slave per
> school. All of a schools LDAP objects are in a ou=.. subtree.
> For security reasons the replication to the LDAP servers in the school
> slaves is "selective": only global (above ou=..) objects and their own
> OU subtree is replicated to each slave. With the exception of user
> objects, which can "belong" to multiple schools (OUs) by having them
> listed in a "school" attribute (and their groups as well). The ACLs
> are written so that user objects and their references (groups) can
> also be replicated to those "additional" OUs.
Frankly I fail to understand how you securely handle cross-OU references
and partial replication of OUs.
Fun like this:
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern
access to filter="objectClass=ucsschoolStudent"
by set="this/ucsschoolSchool &
by * +0 break
root@m65:/etc/ldap# grep 'access to' slapd.conf | wc -l
root@m65:/etc/ldap# grep 'by set' slapd.conf | wc -l
The other stuff pretty much sounds like what Æ-DIR is implementing
set-based ACLs (replace your "school/OU" by Æ-DIR's zone).
I'm very intrigued by Æ-DIR!
But as said: Sets are really slow. I'm curious to hear whether
dynacl module is faster than an equivalent set-based ACL approach.
Yes... we have
customers with >100.000 objects and when a query has to
many constraints it can take several minutes to complete. We are now
trying to get the dynacl module to replace as much set-ACLs as possible
and comparing query speed. For now the motto is "not be slower" :) while
gaining simplicity and extensibility. I'll keep you posted, and ofc
it'll be open source :)