Daniel Tröder wrote: > The product is not new, but exists for some years now > (https://www.univention.com/products/ucsschool/). It is completely > open source and free as in beer (except support ofc). > The LDAP tree is replicated from the master to >=1 LDAP slave per > school. All of a schools LDAP objects are in a ou=.. subtree. > For security reasons the replication to the LDAP servers in the school > slaves is "selective": only global (above ou=..) objects and their own > OU subtree is replicated to each slave. With the exception of user > objects, which can "belong" to multiple schools (OUs) by having them > listed in a "school" attribute (and their groups as well). The ACLs > are written so that user objects and their references (groups) can > also be replicated to those "additional" OUs.
Frankly I fail to understand how you securely handle cross-OU references and partial replication of OUs. The other stuff pretty much sounds like what Æ-DIR is implementing with set-based ACLs (replace your "school/OU" by Æ-DIR's zone). But as said: Sets are really slow. I'm curious to hear whether your dynacl module is faster than an equivalent set-based ACL approach. Ciao, Michael.
