Hi,
I'm setting up a new OpenLDAP infrastructure on Solaris, where the directory will be critical and we need to keep a tight control on the changes made to it. The changes will come from an external feed, and as an extra safety measure to protect against software bugs that could otherwise cripple our infrastructure, we would like to put an overlay into the directory server that will make sure that the changes being made to the directory do not break some basic business rules we are defining.
The rules will be along these lines:
- Do not allow more than 10% of entries underneath a given DIT to be modified in less than a 24 hour period
- Entries underneath a given DIT must have a specified list of object classes and attributes defined
- Do not permit modrdn under a given DIT
- Attribute values match a particular defined set of REs (I can do this with the constraint overlay)
- Some critical entries cannot be modified or removed (I can do this with access control lists)
- Some attributes not used in the DN must be unique (I can do this with the unique overlay)
So I'm ok with the last three, but any suggestions for the first three? Has anyone else implemented similar overlays already?
Thanks & regards, Mark Bannister.
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
Mark,
Bannister, Mark wrote:
Do not allow more than 10% of entries underneath a given DIT to be modified in less than a 24 hour period
Throttling is tricky. Currently no idea besides implementing a custom overlay.
But throttling is a bad tool against real errors anyway:
1. No matter how you choose your static treshold a sync process going mad will always cause a huge PITA.
2. Static throttling can easily hurt good sync behaviour and cause other headaches, e.g. think of a mass deactivation needed because of a security incident.
=> IMO it's better to raise the bar with additional constraints.
Also try to deactivate entries (invisible via ACL) instead of deleting them. Then repairing accidently deactivated entries is less work. It's the approach I take for almost everything in Æ-DIR [1].
[1] http://www.stroeder.com/publications.shtml#gpn15
If performance allows in your setup consider using slapo-accesslog - one of my OpenLDAP feature favourites. Besides being mainly dedicated for delta-syncrepl it's very useful for auditing and rolling back changes. My web2ldap shows extra quick links when displaying a single entry and has some HTML templates for nicer viewing.
Entries underneath a given DIT must have a specified list of object classes and attributes defined
How about this approaches:
DIT content rules (most times overlooked schema feature): http://www.openldap.org/faq/data/cache/1473.html
Andrew's poor man's DIT structure rules and nameforms with ACLs: http://www.openldap.org/faq/data/cache/1474.html
Do not permit modrdn under a given DIT
ACLs.
Attribute values match a particular defined set of REs (I can do this with the constraint overlay)
Yupp, slapo-constraint is your friend. For DN references also slapo-refint could help.
Some critical entries cannot be modified or removed (I can do this with access control lists)
Yupp, ACLs.
Some attributes not used in the DN must be unique (I can do this with the unique overlay)
Yupp, slapo-unique.
But be aware of slapo-unique issues: http://www.openldap.org/its/index.cgi?findid=6825 http://www.openldap.org/its/index.cgi?findid=6916
Ciao, Michael.
openldap-technical@openldap.org
-
Bannister, Mark -
Michael Ströder