Hi.
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%...)
Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%...)
Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing.
The main problem with sets: They are slow - I mean really slow.
But if high performance is not your main goal you can set up very paranoid access control with sets.
I will show a demo of a similar setup this weekend at the OpenLDAP booth at Chemnitzer Linuxtage:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134
See also my presentation of this stuff this Sunday:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/135
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
Michael Ströder wrote:
Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%...)
Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing.
The main problem with sets: They are slow - I mean really slow.
And they will continue to be - very very slow. There is currently no way to cache set evaluations, like we do with group ACLs.
But if high performance is not your main goal you can set up very paranoid access control with sets.
I will show a demo of a similar setup this weekend at the OpenLDAP booth at Chemnitzer Linuxtage:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134
See also my presentation of this stuff this Sunday:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/135
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
Howard Chu wrote:
Michael Ströder wrote:
Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%...)
Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing.
The main problem with sets: They are slow - I mean really slow.
And they will continue to be - very very slow. There is currently no way to cache set evaluations, like we do with group ACLs.
So the only work-around to improve performance a bit is to maintain additional attributes to avoid set ACLs follow too many references.
E.g. slapo-memberof can be used to set back-link references in group member entries (attribute 'memberOf') which sometimes can improve the set performance of specific group membership relations. (Yes, I know the normal by group ACLs but those are not sufficient for some use-cases.)
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Tomasz Lesniewski