Hello,
I was wondering if there exists a best practices guide to crafting olcAccess rules?
For example: Should I create a single entry per account I want to give access, granting all attributes they would need read/write access to with a particular filter? Or would I be better off grouping access granting to members of the groups and adding individual rules for special edge cases? Or are both these ideas off base and something else would be preferred?
Currently I am granting access by groups with access to collections of attributes, however as I am discovering that some accounts need access to those attributes with different filters my rules are continually shifting and growing.
Thank You, -Russell Janceiwcz University of Connecticut
On Wed, Jul 31, 2013 at 06:11:02PM +0000, Jancewicz, Russell wrote:
Should I create a single entry per account I want to give access, granting all attributes they would need read/write access to with a particular filter?
No - you will end up having to change the ACLs every time you add a user.
Or would I be better off grouping access granting to members of the groups and adding individual rules for special edge cases?
Much better, but try to avoid those edge cases too!
Or are both these ideas off base and something else would be preferred?
Currently I am granting access by groups with access to collections of attributes, however as I am discovering that some accounts need access to those attributes with different filters my rules are continually shifting and growing.
Try to cut the complexity of ACLs as far as possible. ACLs are effectively programs and they take a lot of testing when they are modified.
I always try to turn the day-to-day changes into group-membership changes as then the routine mods are just 'data' rather than 'program'.
One approach you might look at is to use two layers of groups: one to categorise users by role (printer admin, user-support, accounts) and one to give access to specific resources (password-writer, home-address-reader, mail-address-reader). You can then make the role groups members of the appropriate resource groups, which is a more understandable way to express policy than typical ACLs.
More ideas here:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
openldap-technical@openldap.org