From: Larry Stone [mailto:l...@mit.edu]
>I mostly agree, but suggest you consider what happens when e.g. the LDAP
>entry goes away; we can't get rid of the EPerson because it's
>connected to
>some policy objects or something,
For the most part, I wouldn't consider policy objects to be relevant - if you
remove the LDAP entry, and therefore lose the ability to login, then what that
login could or couldn't do is meaningless.
Although you have a question as to what to do with those authorizations -
should they be removed (in case someone else is later given an LDAP entry of
the same name?), or are they retained for a while in case the loss of an LDAP
entry was temporary / an accident?
The other interesting question to consider is what might happen if the identity
provider changes - either an organisation changing the identity provider en
masse (ie. LDAP to Shibboleth), or a person leaving an organisation and losing
their LDAP entry, but still required to have access rights.
>Also, what about when the identity source is unavailable or slow?
>If the administrator is editing groups, do you want to wait for dozens
>of name queries for each page?
Agreed. Performance is an issue - would you want to swamp the identity source
on every page access just to display a 'Welcome' message?
>The identity plugin could implement
>some caching too, but that won't help for the first pass through a
>long user list.
Depends on how it is used - if you require users to login first, before you
administer groups, etc., then it would be possible to create / update the
cached entry on login, and then the administrative pages can simply use the
cache.
But realisitically, if you have a central identity source, it would be better
for administrators to be able to setup access rights without the user ever
having logged in to the repository.
G
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel