directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: Google Team Edition and Triplesec
Date Sat, 09 Feb 2008 15:13:03 GMT
Sorry for taking so long to respond I was dealing with a computer
catastrophe here for the past few days.  More inline ...

On Feb 7, 2008 1:21 PM, Jesse McConnell <> wrote:

> oh goodie, I have been waiting/lurking for some triplesec material to crop
> up on this list since talking to david jencks at apachecon :)

I've been researching this for some time now (years) and I think the schema
for what we need in terms of the proper resolution to support things like
exposing policy via XACML and other policy expression languages is pretty

I would like to carve out a IETF draft specifically for this and implement
it here after having experimented with previous ideas in Triplesec.

We've had many conversations with David on this list and I think we have
resolved some of our differences.  It's only a matter now of siting down and
writing the schema.

> in general there seems to be a shortage of actual open source role based
> access control implementations so any offering in this regard is good for
> triplesec and apacheds...I am hoping to swap out the rbac implementation in
> redback (underlying user manglement solution in use for continuum and
> archiva in mavenlands) with something a little more standard and bullet
> proof.

Excellent.  Your feedback will be most welcome and furthermore your welcome
to join us in Triplesec development if you find the time and are interested.

> On Feb 7, 2008 12:12 PM, Ole Ersoy <> wrote:
> > Hey Guys,
> >
> > I was just reading through this article:
> >
> >
> >
> > and thought of triplesec.  From 50K feet (OK maybe a little lower) it
> > sounds like Triplesec would be the ideal solution for managing (create,
> > read, write, execute, etc.) groups of collaborators working on different
> > documents.
Absolutely.  We have been trying to get there but there are a few things we
need in ADS to support efficient application of policy in an ACDF (Access
Control Decision Function).

We are also thinking of using this schema in combination with another
authorization schema based on subschema in addition to the basic
authorization supported by ApacheDS today.

Also I think this is a great place for us to collaborate with the OpenLDAP
folks like Howard et. al.

All the users could be stored in ADS, along with the locations of user
> > documents, and the users could then just assign permissions using the role
> > based hierarchy discussed.
Yep that's the idea.  We'll get there.  We just need more hands on people,
time and support.

>  This seems to be a hot area for Google Apps, and thus presumably others
> > will follow suit, and if triplesec were positioned as the right solution for
> > this it could be good for all of ADS as a whole.

Thanks for the post Ole & Jesse.  Let me know if you guys have any other
questions or are interested in chipping away at some of our issues.


View raw message