Shawn McKinney wrote:
Why use ACL’s for fine-grained authZ?
- Not standard / LDAPv3 server lock-in (might not be a problem for you)
- difficult to maintain and test (complex)
You have both of these issues for every non-trivial access control
system. Especially you need automated tests.
To determine if necessary another question - how are your
applications interacting with the directory. Are they connecting
using LDAPv3 operations (like search and bind), or is there are
higher level abstraction in place, (like mod_authnz_ldap)?
That's the real question: Does the end-user ever impersonate directly on
the LDAP connection (optionally via a web application).