Re: openldap and service permissions

[myren <thefowle@wam.umd.edu>]

> > I'd like large grained control over my services like FTP & Samba. 
> > They're set up to use LDAP for user authentication.  I'd like to be 
> > able to enable and disable services on a per user basis.  Eventually 
> > I'd like to enable and disable on a per group basis as well.

>  From my experience, LDAP is really not well suited for handling 
> authorization queries, because they tend to be higly relational and 
> require lots of indices in order to come anywhere near acceptable 
> performance. Don't use a hierarchical database for relational queries.

> An A&A scheme should be three phased:
>
>  - first authenticate a user via LDAP
> if that succeeds
>  - second query authorization data from SQL
>  - third decide if you will grant access

Kerberos is performing the authentication.  I was hoping to have LDAP do 
my authorization.  The whole pointing of doing the whole Kerberos+LDAP 
tango is to get a relatively database.  Throwing pieces to MySQL seems 
like blasphemy.

Cant you just add some attribute to the user schema for each service and 
check that?  That doesnt seem all that heavily relational.

I dont really know much about LDAP, but I always thought this is what it 
was built for.  I'm not trying to do heavily OLAP multi-dimensionally 
querying, i'm not trying to use LDAP to stack walk through a permissions 
stack here, I'm trying to set a flag to say whether a service is enabled 
or not.

Can someone explain why LDAP cant do this reasonably?  What is LDAP good 
for then?

Myren