-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
On 04/24/2018 05:04 PM, Michael Ströder wrote:
Shawn McKinney wrote:
> Why use ACL’s for fine-grained authZ?
>
> It’s drawbacks, - Not standard / LDAPv3 server lock-in (might not
> be a problem for you) - difficult to maintain and test (complex)
You have both of these issues for every non-trivial access control
system. Especially you need automated tests.
> To determine if necessary another question - how are your
> applications interacting with the directory. Are they
> connecting using LDAPv3 operations (like search and bind), or is
> there are higher level abstraction in place, (like
> mod_authnz_ldap)?
That's the real question: Does the end-user ever impersonate
directly on the LDAP connection (optionally via a web
application).
More and more services are moving towards SAML, OpenID etc., so one
day we may be able to shield clients from the actual database. But for
now a lot of our and 3rd party software access the LDAP directory
directly.
Greetings
Daniel
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEETmV9Y92VyKk8bwJc663P4/qAgV0FAlrfcI8ACgkQ663P4/qA
gV3J7w/+J3pUIUhabJPlrq9cbkXhk1+MawNtGZQzwPuIusDI9Z5sVCZDKSpiT2aT
PxW6Y6b6obZiwTmMPjU4sOXV8yr4RNSDhQIdqsi0clgyPIMHHVHoCPMH6qQpYvB7
rBj+UTqcDWwclfYI6/LPewSSIiVsSrUi9rFgl3NORcEQb8geUGgWjYecQD0bTnwg
yYciMlB3lgku20h1ZeRYRD3N3yURnR40I6kzXATednngEuvma+Vm35N9OsU8hKA1
k9EQFFrNg9jbV+npK62UefE+0leLGT6y0u93EOmYQP0/2E+M2rGVKWqXhoBwtBqr
iXbXT7PasXZVoHBTnNXODKvOz2Eg2v/pjVlvEV2vwVnBjzNuly+e2I7fzA8EakVm
6TON7r+0zZFO5CzR4a+WerAR5iOVb/+9FlLsTZ6N2pB4TDgkZlEBDEXvidSnA+np
w8plI9S9br0jVTHCrxH/ISrFY0IJU5Tsh8Jd/YybU1cAL+grIga41rpuCbwVWJv7
9EJekzM/t9iCOr52uLexspiHpc0pdvuGiNfPIzSg4n6h8Sw3I50EXF4/RsJAytqS
y5Egz701vSj2G2zB4VtUZxaOb4aZhc8VLFRtsYPSt/Jxyh9dGs/UXsxn/5Hxgr8S
6srEL+WPq5PbqUZAY9cBM10P1C0/IscM+Xc4umtXotbKhbl1Uc8=
=vyvG
-----END PGP SIGNATURE-----