On Mon, Dec 28, 2009 at 3:39 AM, Joscha Feth <[email protected]> wrote: > Chris Anderson wrote: > >> I'm attempting to make more sense of CouchDB's authentication system. >> The current system is a proverbial ball of spaghetti. I'm still in the >> investigation stage of my work, and I'm writing this to clarify my >> thoughts and solicit feedback. > > Hi Chris, > > It's maybe not the ideal place to discuss this, but when using LDAP as > authentication mechanism within a reverse proxy, I noticed, that the > username (we have a large userbase, and users may have different eMail > addresses) to be used to login might differ from time to time, so the > user might "[email protected]" as well as "[email protected]" to login, but its still the > same user.
My first thought is that there's got to be some common identifier in your LDAP space (like a UUID or something) that is the real identifier here. But I'm just guessing, maybe there's not... > Another question I didn't find anything about in the docs: is it > intended to store additional properties within userCtx beside .name and > .roles? I'm still on the fence about that. Reasons like your LDAP extensibility mean maybe we should allow more fields. On the other hand, I can imagine people abusing that and getting themselves stuck in a land with weird security bugs. Damien has mentioned to me the idea of a site security object, which would be stored in the database, and passed to validation functions. This would allow the validation function to know things like: "this application's authorization is implemented in terms of roles like author and editor. this site's authentication gives users roles like employee and manager. for this site, lets map employees to authors and mangers to editors." I don't know if this quite does the trick for you. I think I need to understand the first question (is there a real ID for your multi-named users?) before I get much further. Once top concern I have with the multi-name stuff is immutability. As you mentioned, you'd be checking for set membership instead of equality, which helps that some. Chris -- Chris Anderson http://jchrisa.net http://couch.io
