I don't agree that attempting to control OFBiz user permissions through
a management application is useless. There are a number of programs here
where I work that integrate well with NDS and allow me to control them
through a single management console.
I can't imagine being in a large corporation and having to create user
logins and passwords multiple times for each user. That would be an
administration nightmare!
Anyways...
David - you mentioned integrating OFBiz with LDAP for clients, yet I
don't see any evidence of it in OFBiz. Is there a chance you could share
your insights with me? Do you think it would be worth checking into
including Apache DS in OFBiz? Like we do with Tomcat?
-Adrian
David E Jones wrote:
I'm not sure if this is what you mean Shi, but I think we're on the same
page with the problem with this: different applications tend to have
different permission sets, business processes that pass through the
applications, different ways of organizing and interpreting permissions,
and so on. You could configure groups of users in LDAP (along with the
authentication info), but added permissions as well is not terribly useful.
Some applications certainly put their permissions in LDAP, and are made
to be configured entirely through LDAP, which becomes a data store that
is an alternative to a relational database. However, it doesn't mean
that other applications will be able to share that permission data, it
just won't mean anything in the other apps.
-David
On Jun 19, 2008, at 10:26 PM, Shi Yusen wrote:
Adrian,
I guess you mean unified authentation and unified authoration. In
pratice, unified authoration is useless.
Shi Yusen/Beijing Langhua Ltd.
在 2008-06-19四的 19:53 -0700,Adrian Crum写道:
--- On Thu, 6/19/08, David E Jones <[EMAIL PROTECTED]> wrote:
I've had this discussion probably nearly 100 times with different
clients and different people, and been involved in over a dozen
different LDAP and SSO implementation. Based on that and reading this
a few things come to mind:
1. only put in LDAP what other applications can share, since that is
the whole point: sharing data in standard structures (as much as such
things exist...); putting as much as possible into LDAP only adds
effort with no reward, and in fact can cause performance and other
problems compared to having that data in a database
So, what about keeping OFBiz permissions in LDAP? Did you read my
reply to Al? That's what I'm hoping to achieve - sharing OFBiz
permissions with network management applications.
-Adrian
