On Jun 20, 2008, at 8:30 AM, Adrian Crum wrote:
I don't agree that attempting to control OFBiz user permissions
through a management application is useless. There are a number of
programs here where I work that integrate well with NDS and allow me
to control them through a single management console.
I can't imagine being in a large corporation and having to create
user logins and passwords multiple times for each user. That would
be an administration nightmare!
Integration with LDAP for usernames and passwords is a great idea, and
perhaps even groups of users as I mentioned below.
What doesn't make as much sense is handling permissions through
LDAP... that's where I think it is more effort than it is worth and
doesn't make sense in most organizations... and I've never seen that
done.
Anyways...
David - you mentioned integrating OFBiz with LDAP for clients, yet I
don't see any evidence of it in OFBiz. Is there a chance you could
share your insights with me? Do you think it would be worth checking
into including Apache DS in OFBiz? Like we do with Tomcat?
I'm not sure of what insights your interested in, but I'm happy to
pontificate any time! ;)
As for integrating Apache DS in OFBiz, I don't know how useful it
would be. If someone is just using OFBiz then it doesn't make sense
and makes things harder instead of easier. If someone is deploying
OFBiz in a corporate environment and they want to use LDAP, then they
should already have an LDAP server around (Novell, Sun, Microsoft,
OpenLDAP, Apache DS, or whatever), otherwise again it doesn't make
much sense to use.
Still, I'd love to hear what others think about this, and if it does
make sense and/or is desired, then we might as well go for it!
-David
David E Jones wrote:
I'm not sure if this is what you mean Shi, but I think we're on the
same page with the problem with this: different applications tend
to have different permission sets, business processes that pass
through the applications, different ways of organizing and
interpreting permissions, and so on. You could configure groups of
users in LDAP (along with the authentication info), but added
permissions as well is not terribly useful.
Some applications certainly put their permissions in LDAP, and are
made to be configured entirely through LDAP, which becomes a data
store that is an alternative to a relational database. However, it
doesn't mean that other applications will be able to share that
permission data, it just won't mean anything in the other apps.
-David
On Jun 19, 2008, at 10:26 PM, Shi Yusen wrote:
Adrian,
I guess you mean unified authentation and unified authoration. In
pratice, unified authoration is useless.
Shi Yusen/Beijing Langhua Ltd.
在 2008-06-19四的 19:53 -0700,Adrian Crum写道:
--- On Thu, 6/19/08, David E Jones <[EMAIL PROTECTED]> wrote:
I've had this discussion probably nearly 100 times with different
clients and different people, and been involved in over a dozen
different LDAP and SSO implementation. Based on that and reading
this
a few things come to mind:
1. only put in LDAP what other applications can share, since that
is
the whole point: sharing data in standard structures (as much as
such
things exist...); putting as much as possible into LDAP only adds
effort with no reward, and in fact can cause performance and other
problems compared to having that data in a database
So, what about keeping OFBiz permissions in LDAP? Did you read my
reply to Al? That's what I'm hoping to achieve - sharing OFBiz
permissions with network management applications.
-Adrian