[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 04/24/2018 05:04 PM, Michael Ströder wrote:
> Shawn McKinney wrote:
>> Why use ACL’s for fine-grained authZ?
>> 
>> It’s drawbacks, - Not standard / LDAPv3 server lock-in (might not
>> be a problem for you) - difficult to maintain and test (complex)
> 
> You have both of these issues for every non-trivial access control 
> system. Especially you need automated tests.
> 
>> To determine if necessary another question - how are your 
>> applications interacting with the directory.  Are they
>> connecting using LDAPv3 operations (like search and bind), or is
>> there are higher level abstraction in place, (like
>> mod_authnz_ldap)?
> 
> That's the real question: Does the end-user ever impersonate
> directly on the LDAP connection (optionally via a web
> application).
More and more services are moving towards SAML, OpenID etc., so one
day we may be able to shield clients from the actual database. But for
now a lot of our and 3rd party software access the LDAP directory
directly.

Greetings
Daniel
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEETmV9Y92VyKk8bwJc663P4/qAgV0FAlrfcI8ACgkQ663P4/qA
gV3J7w/+J3pUIUhabJPlrq9cbkXhk1+MawNtGZQzwPuIusDI9Z5sVCZDKSpiT2aT
PxW6Y6b6obZiwTmMPjU4sOXV8yr4RNSDhQIdqsi0clgyPIMHHVHoCPMH6qQpYvB7
rBj+UTqcDWwclfYI6/LPewSSIiVsSrUi9rFgl3NORcEQb8geUGgWjYecQD0bTnwg
yYciMlB3lgku20h1ZeRYRD3N3yURnR40I6kzXATednngEuvma+Vm35N9OsU8hKA1
k9EQFFrNg9jbV+npK62UefE+0leLGT6y0u93EOmYQP0/2E+M2rGVKWqXhoBwtBqr
iXbXT7PasXZVoHBTnNXODKvOz2Eg2v/pjVlvEV2vwVnBjzNuly+e2I7fzA8EakVm
6TON7r+0zZFO5CzR4a+WerAR5iOVb/+9FlLsTZ6N2pB4TDgkZlEBDEXvidSnA+np
w8plI9S9br0jVTHCrxH/ISrFY0IJU5Tsh8Jd/YybU1cAL+grIga41rpuCbwVWJv7
9EJekzM/t9iCOr52uLexspiHpc0pdvuGiNfPIzSg4n6h8Sw3I50EXF4/RsJAytqS
y5Egz701vSj2G2zB4VtUZxaOb4aZhc8VLFRtsYPSt/Jxyh9dGs/UXsxn/5Hxgr8S
6srEL+WPq5PbqUZAY9cBM10P1C0/IscM+Xc4umtXotbKhbl1Uc8=
=vyvG
-----END PGP SIGNATURE-----