www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@ish.com.au>
Subject Re: Centralised authentication/authorisation
Date Sun, 07 Dec 2008 10:29:31 GMT

On 05/12/2008, at 12:02 PM, Tony Stevenson wrote:

>>> https://svn.apache.org/repos/asf/infrastructure/trunk/projects/ldap-project/
>>>
>
> This tree is now "rw" for all committers.
> Please feel free to update the docs as they stand so far.

My LDAP experience is not as extensive as others here I'm sure, but  
the proposed documentation raises some questions I haven't seen  
discussed here:

* why has openldap been dismissed from consideration as a server? I'd  
have thought it was one of the most used servers available?

* I know phpldapadmin is clunky in many ways, but the fact that you  
can create templates makes it one of the more user friendly admin  
tools for people not familiar with the nuance of the ldap command  
line. It could form the basis of a customised front end.

* what objectClasses are being used? Will people be inetOrgPerson or  
posixUser or a custom apachePerson class which all the appropriate  
attributes brought together?

* will memberOf be used? I use the plugin for openldap to generate  
these and they prove to be extremely useful for integrating with  
different LDAP consumers.

* why are people divided into "ou=availid-a" groups? Are the speed  
improvements worth this extra layer?

* will email address be used as part of the dn or will they be given  
some sort of unique number (eg. "uidNumber=1234, ou=people, dc=apache,  
dc=org") Using an autogenerated id would appear to be much more robust  
since then the dn is immutable through the change from outsider to cla- 
user to committer to board, not to mention name (eg marriage) or email  
changes. The proposed schema looks like 'username' is part of the dn  
which might be troublesome on these counts.


Please excuse me if these things have been already discussed and  
resolved before.


Ari Maniatis


-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A



Mime
View raw message