Usability of the Access Control System for OpenLDAP

Abstract

This thesis addresses the usability of the Access Control System of OpenLDAP. OpenLDAP is a open source implementation of the Lightweight Directory Access Protocol (LDAP), which is a protocol that communicates with a directory service. A directory service is a database that stores information about network resources, such as files, printers and users. An access control system is the mechanism that mediates access, for example, read or write, to a resource by a user. The access control system makes these decisions based on an access control policy which states who should have access to what. We hypothesize that the access control system of OpenLDAP has poor usability. By usability, in this context, we mean how easy it is for a systems administrator to encode a high-level, informally expressed, enterprise security policy as an access control policy in syntax that OpenLDAP expects. We discuss the design and carrying out of a human-subject study to validate this hypothesis. The study consist of presenting a high-level policy to the participants and asking them to translate it into an OpenLDAP policy. The study has been approved by the University of Waterloo’s office of research ethics. We have carried out the study with a total of 54 users. We present the results from analyzing the data we collected from the study. We observe that our hypothesis is validated in that only few (20%) people were able to express a high-level policy as a correct OpenLDAP policy. There is a low correlation between self reported correctness and actual correctness which suggest that people are not aware if they made any mistake in their submission. The main source of error comes from confusion about the OpenLDAP syntax and how precedence rule works.