[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?



Shawn McKinney wrote:
> Why use ACL’s for fine-grained authZ?  
> 
> It’s drawbacks, 
> - Not standard / LDAPv3 server lock-in (might not be a problem for you)
> - difficult to maintain and test (complex)

You have both of these issues for every non-trivial access control
system. Especially you need automated tests.

> To determine if necessary another question - how are your
> applications interacting with the directory.  Are they connecting
> using LDAPv3 operations (like search and bind), or is there are
> higher level abstraction in place, (like mod_authnz_ldap)?

That's the real question: Does the end-user ever impersonate directly on
the LDAP connection (optionally via a web application).

Ciao, Michael.