-----Original Message-----
From: Rafal Krzewski [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 21, 2000 3:02 PM
To: Turbine
Subject: Re: Validate in user class vs LDAP
>First, let me remind you that the list has decided not to use
>html email. It's no problem for me, but some people dislike it.
My apologies. For various reasons, I'm stuck using Outlook for my
at-work email. I thought I had it set to always use plain text format
for email; apparently not. I've reconfirmed the setting, so hopefully
this is going out correctly. If not, I'll take a deeper look at it.
>I'm all in for allowing the largest range of possibilities, but
>this something that we didn't even try with the databases, because
>managing DB user accounts and privileges is complicated and very
>server dependent. Some of them allow an user to grant other users
>the permissions they have, but others require administrator privileges
>to grant rigths. Creation of new user accounts is usualy reserved
>only to the administrators. Now, it is almost always desirable that a web
>application could create user acounts on it's own, and we certainly
>wouldn't like to give admin privileges over the database server
>to the application. Keeping the system secure would require human
>intervetion whenever creation of new account is requested. This
>is not an acceptable solution for sites that are expected to grow
>to hundreds or tousands of users.
So instead you put the username and password for an admin account
in the config file, of course. My point was only that the minimum
possible level of privilege should (ideally) be used for each action.
If all you need is to read a single user's data, and perhaps update
non-privileged fields, then authenticate as that user. Again, ideally.
In reality, authenticating as an admin user for all purposes may be
more practical.
>I don't have any experience in LDAP server management, but I suspect
>that they are very similar to database servers in this regard.
>This makes me believe that using user's personal information for
>authenticating to the LDAP server is not practical.
The same issues definitely apply.
>> Cool, i'm going to pull it down this morning.
>
>I commited another boatload of changes today :)
Do you ever sleep? :) Great work on the whole thing, by the way.
> By the way, has anyone made Jetspeed 1.2b1 work with the new Turbine?
>Uh, I bet the Jetspeed guys are not happy about recent shuffling of
>many commonly-used classes (like User, or TurbineUserPeer) around.
>On the other hand, nobody came here to complain. They probably will
>once they try to upgrade their turbine.jar :-).
I just broached the subject on the Jetspeed list. No response so far.
But it's definitely fundamentally broken by the new Turbine. Ouch.
--
Craig Berry
GlueCode
