-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 04/24/2018 05:04 PM, Michael Ströder wrote: > Shawn McKinney wrote: >> Why use ACL’s for fine-grained authZ? >> >> It’s drawbacks, - Not standard / LDAPv3 server lock-in (might not >> be a problem for you) - difficult to maintain and test (complex) > > You have both of these issues for every non-trivial access control > system. Especially you need automated tests. > >> To determine if necessary another question - how are your >> applications interacting with the directory. Are they >> connecting using LDAPv3 operations (like search and bind), or is >> there are higher level abstraction in place, (like >> mod_authnz_ldap)? > > That's the real question: Does the end-user ever impersonate > directly on the LDAP connection (optionally via a web > application). More and more services are moving towards SAML, OpenID etc., so one day we may be able to shield clients from the actual database. But for now a lot of our and 3rd party software access the LDAP directory directly. Greetings Daniel -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEETmV9Y92VyKk8bwJc663P4/qAgV0FAlrfcI8ACgkQ663P4/qA gV3J7w/+J3pUIUhabJPlrq9cbkXhk1+MawNtGZQzwPuIusDI9Z5sVCZDKSpiT2aT PxW6Y6b6obZiwTmMPjU4sOXV8yr4RNSDhQIdqsi0clgyPIMHHVHoCPMH6qQpYvB7 rBj+UTqcDWwclfYI6/LPewSSIiVsSrUi9rFgl3NORcEQb8geUGgWjYecQD0bTnwg yYciMlB3lgku20h1ZeRYRD3N3yURnR40I6kzXATednngEuvma+Vm35N9OsU8hKA1 k9EQFFrNg9jbV+npK62UefE+0leLGT6y0u93EOmYQP0/2E+M2rGVKWqXhoBwtBqr iXbXT7PasXZVoHBTnNXODKvOz2Eg2v/pjVlvEV2vwVnBjzNuly+e2I7fzA8EakVm 6TON7r+0zZFO5CzR4a+WerAR5iOVb/+9FlLsTZ6N2pB4TDgkZlEBDEXvidSnA+np w8plI9S9br0jVTHCrxH/ISrFY0IJU5Tsh8Jd/YybU1cAL+grIga41rpuCbwVWJv7 9EJekzM/t9iCOr52uLexspiHpc0pdvuGiNfPIzSg4n6h8Sw3I50EXF4/RsJAytqS y5Egz701vSj2G2zB4VtUZxaOb4aZhc8VLFRtsYPSt/Jxyh9dGs/UXsxn/5Hxgr8S 6srEL+WPq5PbqUZAY9cBM10P1C0/IscM+Xc4umtXotbKhbl1Uc8= =vyvG -----END PGP SIGNATURE-----
