Daniel Tröder wrote:
The product is not new, but exists for some years now
). It is completely
open source and free as in beer (except support ofc).
The LDAP tree is replicated from the master to >=1 LDAP slave per
school. All of a schools LDAP objects are in a ou=.. subtree.
For security reasons the replication to the LDAP servers in the school
slaves is "selective": only global (above ou=..) objects and their own
OU subtree is replicated to each slave. With the exception of user
objects, which can "belong" to multiple schools (OUs) by having them
listed in a "school" attribute (and their groups as well). The ACLs
are written so that user objects and their references (groups) can
also be replicated to those "additional" OUs.
Frankly I fail to understand how you securely handle cross-OU references
and partial replication of OUs.
The other stuff pretty much sounds like what Æ-DIR is implementing with
set-based ACLs (replace your "school/OU" by Æ-DIR's zone).
But as said: Sets are really slow. I'm curious to hear whether your
dynacl module is faster than an equivalent set-based ACL approach.