-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi,
On 04/24/2018 05:04 PM, Michael Ströder wrote:
Shawn McKinney wrote:
Why use ACL’s for fine-grained authZ?
It’s drawbacks, - Not standard / LDAPv3 server lock-in (might not be a problem for you) - difficult to maintain and test (complex)
You have both of these issues for every non-trivial access control system. Especially you need automated tests.
To determine if necessary another question - how are your applications interacting with the directory. Are they connecting using LDAPv3 operations (like search and bind), or is there are higher level abstraction in place, (like mod_authnz_ldap)?
That's the real question: Does the end-user ever impersonate directly on the LDAP connection (optionally via a web application).
More and more services are moving towards SAML, OpenID etc., so one day we may be able to shield clients from the actual database. But for now a lot of our and 3rd party software access the LDAP directory directly.
Greetings Daniel