Complex ACL filters with OVD
Access Control Rules are a very important aspect to get right when setting up Oracle Virtual Directory. But at the same time, I guess they are probably the most complex configuration option, especially if you haven't had some hard core LDAP experience before.
In Using OVD Filtered Directories for LDAP Authentication, I talked about using ACLs to restrict access to certain parts of a directory: each Access Control Rule has a filter setting, which is an LDAP filter that specifies which directory entries the rule applies to.
However I also discovered that using complex (multiple term) Access Control Rule filters is a great way to kill the OVD server process.
NB:it bombs with a java.lang.NullPointerException, and it is necessary to go and manually remove the offending filter from the $OVD_HOME/conf/acls.os_xml file on the server before it will startup again.
Say, for example, you wanted to grant access to entries for the ITGroup and HR departments. In RFC 4515 LDAP search filter terms, we can write this simply as:
But as mentioned, this will kill your OVD server (OVD 10.1.4.0.1 build 06.07.19).
There is a simple work-around though, by reverting to simple set theory and write multiple rules. In other words, granting (|(departmentNumber=ITGroup)(departmentNumber=HR)) is equivalent to two rules applied in sequence:
- Grant: (departmentNumber=ITGroup)
- Grant: (departmentNumber=HR)
read more and comment..
|Long on my "must read" list, I finally picked up Freakonomics (by Steven D. Levitt and Stephen J. Dubner) this weekend, and discovered a fascinating book about interesting questions.|
Questions that are not often asked, but once posed are seen at once to cut to the fundamentals of our society, but also usually discarded as unanswerable.
That seems to be the trick that Steven Levitt has perfected (the economist in the writing team): fixing on an "imponderable" question, and then ingeniously hunting down the situations and data that let him lock an answer within his sights.
What seems to set him apart from other economists is his willingness and ability to collaborate across disciplinary lines when it is the best way to an answer. What the authors talk about as an a-disciplinary approach. Levitt apparently has more in common with Sherlock Holmes that Milton Friedman.
There is an interesting congruence with Malcolm Gladwell's The Tipping Point (which I've also recommended before). While they intersect on some common examples (such as the broken windows theory), each book takes away something different. Gladwell is of course intrigued by the inflexion - how closely can you isolate and identify the point at which things tip? What is the mechanism that causes the worm to turn?
Freakonomics on the other hand is seeking to explain why things are the way the are (whether steady-state, trend or tipping point). The search for causality not just correlation. No less than the search for truth! Of course the more interesting investigations are the ones that show truth to be at odds with conventional wisdom!
NB: if you like this kind of questioning, checkout PsyBlog. I came across this recently and it has some great articles.
The authors are strident in professing that there is no central theme to this book, but I think that is disingenuous. I'd suggest that the book as a whole is an object lesson in the dangers of being lead by theories based on observation, which can lead to very different conclusions than those based on careful data analysis. It is a convincing polemic warning us against naive acceptance of conventional wisdom, theorists and experts of all kinds.
An expert must be bold if he hopes to alchemize his homespun theory into conventional wisdom.
As Gil Grissom would say:
Let the evidence speak for itself..
read more and comment..