I'm not sure if this is what you mean Shi, but I think we're on the
same page with the problem with this: different applications tend to
have different permission sets, business processes that pass through
the applications, different ways of organizing and interpreting
permissions, and so on. You could configure groups of users in LDAP
(along with the authentication info), but added permissions as well is
not terribly useful.
Some applications certainly put their permissions in LDAP, and are
made to be configured entirely through LDAP, which becomes a data
store that is an alternative to a relational database. However, it
doesn't mean that other applications will be able to share that
permission data, it just won't mean anything in the other apps.
-David
On Jun 19, 2008, at 10:26 PM, Shi Yusen wrote:
Adrian,
I guess you mean unified authentation and unified authoration. In
pratice, unified authoration is useless.
Shi Yusen/Beijing Langhua Ltd.
在 2008-06-19四的 19:53 -0700,Adrian Crum写道:
--- On Thu, 6/19/08, David E Jones <[EMAIL PROTECTED]> wrote:
I've had this discussion probably nearly 100 times with different
clients and different people, and been involved in over a dozen
different LDAP and SSO implementation. Based on that and reading this
a few things come to mind:
1. only put in LDAP what other applications can share, since that is
the whole point: sharing data in standard structures (as much as such
things exist...); putting as much as possible into LDAP only adds
effort with no reward, and in fact can cause performance and other
problems compared to having that data in a database
So, what about keeping OFBiz permissions in LDAP? Did you read my
reply to Al? That's what I'm hoping to achieve - sharing OFBiz
permissions with network management applications.
-Adrian
