[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Split user management



> I think a extension point is a good idea. Password policies management is useless because the client's user management handle the passwords and password policies. Fortress without user management don't care of password policies and users.
>

Agreed.

> Using an InetOrgPerson as an object class is a good idea because at the beginning, we can do the hypothesis that client's user management will be only LDAP. But perhaps others kinds of user management could be handled with some specific development.
>

Agreed

> The big problem I think, is actually fortress fills attributes in Roles stored and Users stored in the LDAP. If Users are no more stored and managed in OpenLDAP, Fortress must create new objects to manage USER-ROLE assignations. For exemple a USER-ROLE assignation object with attributes describing the role owned for a user and the constraints on this role assignation (time period, day period, etc.).

More questions:

What interactions should Fortress have with the external directory -
should it be capable of binding, reading user attributes, i.e. group
assignments?  What about provisioning - should the Fortress AdminMgr
APIs be capable of provisioning user data into the external directory?