[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and service permissions

To: myren <thefowle@wam.umd.edu>
Subject: Re: openldap and service permissions
From: Mike Jackson <mj@sci.fi>
Date: Mon, 21 Feb 2005 19:44:15 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <42191500.4090600@wam.umd.edu>
References: <42191500.4090600@wam.umd.edu>
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)

myren wrote:

I'd like large grained control over my services like FTP & Samba. They're set up to use LDAP for user authentication. I'd like to be able to enable and disable services on a per user basis. Eventually I'd like to enable and disable on a per group basis as well.

From my experience, LDAP is really not well suited for handling authorization queries, because they tend to be higly relational and require lots of indices in order to come anywhere near acceptable performance. Don't use a hierarchical database for relational queries.

An A&A scheme should be three phased:

 - first authenticate a user via LDAP
if that succeeds
 - second query authorization data from SQL
 - third decide if you will grant access

Otherwise, you will start to see 1000 character long search filters in your logfiles and the server will crawl on it's knees...

--
mike

Follow-Ups:
- Re: openldap and service permissions
  - From: myren <thefowle@wam.umd.edu>

References:
- openldap and service permissions
  - From: myren <thefowle@wam.umd.edu>

Prev by Date: Re: Openldap scalability issues
Next by Date: Re: OpenLDAP - versioning/stability questions
Index(es):
- Chronological
- Thread