I agree with you Brett, that approach is probably the best balance. It allows fine granularity permissions on the application side, the ability to manage from the directory side, and it won't require specific schema in ldap. This approach is similar as others I have seen and it is generally well accepted among system oprations folks these days.
Brent On Dec 21, 2012 4:39 AM, "Brett Porter" <br...@apache.org> wrote: > > On 21/12/2012, at 7:39 PM, Olivier Lamy <ol...@apache.org> wrote: > > > Note something I'd like to add is to be able to use only ldap > > (including for roles). > > But probably not yet for this release, I have to think which ldap > > attributes to use for role mapping (and a couple of other things :-) > > ). > > Such feature makes sense ? > > I'm not sure you'll get the granularity of the resources/permissions that > you want without overly-polluting LDAP or unless you limit it to the global > roles. > > Probably the better way to approach it is to add support for groups > (mapped onto LDAP) that can be assigned to roles (still stored in > Archiva/Redback). > > - Brett > > -- > Brett Porter > br...@apache.org > http://brettporter.wordpress.com/ > http://au.linkedin.com/in/brettporter > http://twitter.com/brettporter > > > > > >
