> From: David E Jones <[EMAIL PROTECTED]> > Subject: Re: Discussion: OFBiz Security Refactor > To: dev@ofbiz.apache.org > Date: Friday, June 20, 2008, 2:42 PM > On Jun 20, 2008, at 8:30 AM, Adrian Crum wrote: > > > I don't agree that attempting to control OFBiz > user permissions > > through a management application is useless. There are > a number of > > programs here where I work that integrate well with > NDS and allow me > > to control them through a single management console. > > > > I can't imagine being in a large corporation and > having to create > > user logins and passwords multiple times for each > user. That would > > be an administration nightmare! > > Integration with LDAP for usernames and passwords is a > great idea, and > perhaps even groups of users as I mentioned below. > > What doesn't make as much sense is handling permissions > through > LDAP... that's where I think it is more effort than it > is worth and > doesn't make sense in most organizations... and > I've never seen that > done.
I've seen it at work. We have Canon copiers, tape backup software, and our database software all integrated with Novell's eDirectory (their version of LDAP). > > Anyways... > > > > David - you mentioned integrating OFBiz with LDAP for > clients, yet I > > don't see any evidence of it in OFBiz. Is there a > chance you could > > share your insights with me? Do you think it would be > worth checking > > into including Apache DS in OFBiz? Like we do with > Tomcat? > > I'm not sure of what insights your interested in, but > I'm happy to > pontificate any time! ;) > > As for integrating Apache DS in OFBiz, I don't know how > useful it > would be. If someone is just using OFBiz then it > doesn't make sense > and makes things harder instead of easier. If someone is > deploying > OFBiz in a corporate environment and they want to use LDAP, > then they > should already have an LDAP server around (Novell, Sun, > Microsoft, > OpenLDAP, Apache DS, or whatever), otherwise again it > doesn't make > much sense to use. > > Still, I'd love to hear what others think about this, > and if it does > make sense and/or is desired, then we might as well go for > it! I like the Apache Directory group's take on things: Why write user authentication code for your J2EE application, when you can just plug in an existing library? I guess I'm in their frame of mind - stuff like permissions should be kept in a directory, and the directory should be managed by an open source library. Maybe this idea is too advanced for now - we can come back to it later. I'm glad we finally have LDAP authentication. It makes my job much easier! I'll put the LDAP permissions thing on the shelf. -Adrian