> From: David E Jones <[EMAIL PROTECTED]>
> Subject: Re: Discussion: OFBiz Security Refactor
> To: [email protected]
> Date: Friday, June 20, 2008, 2:42 PM
> On Jun 20, 2008, at 8:30 AM, Adrian Crum wrote:
>
> > I don't agree that attempting to control OFBiz
> user permissions
> > through a management application is useless. There are
> a number of
> > programs here where I work that integrate well with
> NDS and allow me
> > to control them through a single management console.
> >
> > I can't imagine being in a large corporation and
> having to create
> > user logins and passwords multiple times for each
> user. That would
> > be an administration nightmare!
>
> Integration with LDAP for usernames and passwords is a
> great idea, and
> perhaps even groups of users as I mentioned below.
>
> What doesn't make as much sense is handling permissions
> through
> LDAP... that's where I think it is more effort than it
> is worth and
> doesn't make sense in most organizations... and
> I've never seen that
> done.
I've seen it at work. We have Canon copiers, tape backup software, and our
database software all integrated with Novell's eDirectory (their version of
LDAP).
> > Anyways...
> >
> > David - you mentioned integrating OFBiz with LDAP for
> clients, yet I
> > don't see any evidence of it in OFBiz. Is there a
> chance you could
> > share your insights with me? Do you think it would be
> worth checking
> > into including Apache DS in OFBiz? Like we do with
> Tomcat?
>
> I'm not sure of what insights your interested in, but
> I'm happy to
> pontificate any time! ;)
>
> As for integrating Apache DS in OFBiz, I don't know how
> useful it
> would be. If someone is just using OFBiz then it
> doesn't make sense
> and makes things harder instead of easier. If someone is
> deploying
> OFBiz in a corporate environment and they want to use LDAP,
> then they
> should already have an LDAP server around (Novell, Sun,
> Microsoft,
> OpenLDAP, Apache DS, or whatever), otherwise again it
> doesn't make
> much sense to use.
>
> Still, I'd love to hear what others think about this,
> and if it does
> make sense and/or is desired, then we might as well go for
> it!
I like the Apache Directory group's take on things: Why write user
authentication code for your J2EE application, when you can just plug in an
existing library? I guess I'm in their frame of mind - stuff like permissions
should be kept in a directory, and the directory should be managed by an open
source library.
Maybe this idea is too advanced for now - we can come back to it later.
I'm glad we finally have LDAP authentication. It makes my job much easier! I'll
put the LDAP permissions thing on the shelf.
-Adrian
