Re: role based authorization -> dynacl module?

Shawn McKinney wrote:

Why use ACL’s for fine-grained authZ?

It’s drawbacks,

• Not standard / LDAPv3 server lock-in (might not be a problem for you)
• difficult to maintain and test (complex)

You have both of these issues for every non-trivial access control system. Especially you need automated tests.

To determine if necessary another question - how are your applications interacting with the directory. Are they connecting using LDAPv3 operations (like search and bind), or is there are higher level abstraction in place, (like mod_authnz_ldap)?

That's the real question: Does the end-user ever impersonate directly on the LDAP connection (optionally via a web application).

Ciao, Michael.