Craig Berry wrote:
> That's necessary for such purposes as adding users, of course.
> And it can certainly be used for single-user data access. But
> the prefered mechanism for getting a single user's data is to
> authenticate as that user and then grab the data. This minimizes
> the potential for accidental or intentional abuse. The reasoning
> is similar to why even users who have root access on Unix
> systems don't always log on as root.
Good point, but what about assigning LDAP user privileges? Isn't
it neccessary to assign each new user rights to read and modify
his own data, and read global group/role/permission data?
This would make creating new users much more complicated.
When using signle LDAP account to access all data on behalf of
Turbine application makes the installation easier.
> Or in which it may be retrievable, but encrypted. Even if you
> include client-side code to encrypt and compare, you're dependent
> on the server-side encryption scheme never changing, which is a
> slight danger. You must also provide a client-side encryption
> implementation for each back-end scheme supported by the app.
> Far easier to pass the password to the back end and let *it* do
> the encrypt and compare. Again, the analogy to Unix's password
> scheme is instructive.
A server that is presented a plaintext password, encrypts it and
sends it back for client side compare does not make much sense,
now does it? Sensible servers would store the encrypted password,
and return only compare results, just as unix/NT login etc.
> I hope it makes more sense, now...further questions are welcome,
> if not. And I'm *very* much looking forward to seeing the forthcoming
> LDAP user mgmt. model for Turbine! (It'll be interesting to see how
> much it parallels the code I've been playing with here, none of which
> has approached releasable quality.)
You can see most of the framework in org.apache.turbine.services.security,
but there will be some additions to it. Right now I'm working on refactoring
the ACLs, and my friend is working on LDAP user implementation.
Rafal
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
