Torgeir Veimo wrote: > "David E. Storey" wrote: > >>For me, OpenLDAP is too static. If you want to configure a replica or >>modify access control, you have to modify slap.conf and restart. and >>restart. and restart?! >> > > Actually, openLDAP supports per-object ACI's. ./configure says; > > --enable-aci enable per-object ACIs [no]
yes, that's true. notice the PER-OBJECT constraint. slapd.conf allows one to specify access control to objects and attributes based on just about any criteria. (and of course, there's always the exception to the rule) This per-object aci is based on a not-yet-standardized draft and the openldap implementation doesn't apply to sub-trees like the draft allows. So while per-object aci's are useful in some situations, it's not what I'm looking for. d!
