[Fedora-directory-users] Ideas for fds - roles / forward groups [Auf Viren geprüft]

[Frerk.Meyer at Edeka.de]

ns* attribute names:

Yes, it is a good habit to mark proprietary attributes. The trouble
is to change the name afterwards is cumbersome. Every application
which does not make the role attribute name configurable has to be changed
and compiled again. Nevertheless ist would we right thing to do.
Since it is a virtual attribute anyway the LDAP server may for some time
generate two attributes with name nsrole and ldapRole or something,
documenting nsrole as deprecated.

Roles for authorization in LDAP:

Yes, I admit it: I wanted to mention ACIs as an example of using
nsrole for authorization but for the sake of simplicity I deleted what
I had written because in ACIs you may use group membership
to and mix both. So the names are misleading anyways: You
may use roles for group definition and groups for authorization
via ACIs as well.

Java-LDAP Interface: too simple, too narrow

In fact I was really surprised how bad the interface of the
Sun Java App Server 7 to the Sun Directory Server 5.x
is: Suns App Server JNDIRealm isn't able to use nsroles but
Tomcat 5.x is able to do it (I havent't looked at AppServer 8).
Both are very limited since they cannot
use ACIs to define Java security. They even cannot lookup the
roles after authenticaton, so changes are ignored.
I wrote my own security realm so java applications can use
ACIs to dynamically define authorization. But it is not integrated
with the J2EE Security Manager, my Java knowledge isn't enough
and maybe it isn't possible at all.


Frerk Meyer

EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:frerk.meyer at edeka.de