Booker Bense <[email protected]> writes: > 12+ years ago when I was involved in the design of the Stanford SunetID > system we spend a lot of time going back and forth about the pros and > cons of each approach. I think time has clearly shown that splitting > them into two buckets was the right choice.
I generally agree, although I'll warn that it's had some fairly significant operational consequences, so it's not an obvious decision. The biggest problem that we've had is with applications that need data from both trees, since most applications are not designed to merge two sets of LDAP data together. This has primarily hit us with entitlements, since sometimes you want entitlements that go with people and sometimes you want entitlements with accounts. Part of the problem is that, for historical reasons, we associated all entitlements with people, which is actually the wrong thing to do. Most entitlements (and group membership) should be associated with the account, so that you can properly represent people with multiple accounts that have different levels of privilege (group membership and entitlements are the main way that privilege is represented in practice). But there are some entitlements that are really based on the person (such as ones related to affiliations) and should be inherited by the "primary" account. We've now done a bunch of work to replicate the entitlements from the person entry to the directory entry for the primary account for that person, and we're still debugging that process. Everything would have been somewhat smoother if we'd anticipated that from the start. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
