Re: role based authorization -> dynacl module?

Shawn McKinney wrote: > Why use ACL’s for fine-grained authZ? > > It’s drawbacks, - Not standard / LDAPv3 server lock-in (might not > be a problem for you) - difficult to maintain and test (complex) You have both of these issues for every non-trivial access control system. Especially you need automated tests. > To determine if necessary another question - how are your > applications interacting with the directory. Are they > connecting using LDAPv3 operations (like search and bind), or is > there are higher level abstraction in place, (like > mod_authnz_ldap)? That's the real question: Does the end-user ever impersonate directly on the LDAP connection (optionally via a web application).

-----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEETmV9Y92VyKk8bwJc663P4/qAgV0FAlrfcI8ACgkQ663P4/qA gV3J7w/+J3pUIUhabJPlrq9cbkXhk1+MawNtGZQzwPuIusDI9Z5sVCZDKSpiT2aT PxW6Y6b6obZiwTmMPjU4sOXV8yr4RNSDhQIdqsi0clgyPIMHHVHoCPMH6qQpYvB7 rBj+UTqcDWwclfYI6/LPewSSIiVsSrUi9rFgl3NORcEQb8geUGgWjYecQD0bTnwg yYciMlB3lgku20h1ZeRYRD3N3yURnR40I6kzXATednngEuvma+Vm35N9OsU8hKA1 k9EQFFrNg9jbV+npK62UefE+0leLGT6y0u93EOmYQP0/2E+M2rGVKWqXhoBwtBqr iXbXT7PasXZVoHBTnNXODKvOz2Eg2v/pjVlvEV2vwVnBjzNuly+e2I7fzA8EakVm 6TON7r+0zZFO5CzR4a+WerAR5iOVb/+9FlLsTZ6N2pB4TDgkZlEBDEXvidSnA+np w8plI9S9br0jVTHCrxH/ISrFY0IJU5Tsh8Jd/YybU1cAL+grIga41rpuCbwVWJv7 9EJekzM/t9iCOr52uLexspiHpc0pdvuGiNfPIzSg4n6h8Sw3I50EXF4/RsJAytqS y5Egz701vSj2G2zB4VtUZxaOb4aZhc8VLFRtsYPSt/Jxyh9dGs/UXsxn/5Hxgr8S 6srEL+WPq5PbqUZAY9cBM10P1C0/IscM+Xc4umtXotbKhbl1Uc8= =vyvG -----END PGP SIGNATURE-----