Cheers, Tim -- Tim Ruppert HotWax Media http://www.hotwaxmedia.com
o:801.649.6594 f:801.649.6595 On Jun 20, 2008, at 7:39 PM, Adrian Crum wrote:
From: David E Jones <[EMAIL PROTECTED]> Subject: Re: Discussion: OFBiz Security Refactor To: dev@ofbiz.apache.org Date: Friday, June 20, 2008, 2:42 PM On Jun 20, 2008, at 8:30 AM, Adrian Crum wrote:I don't agree that attempting to control OFBizuser permissionsthrough a management application is useless. There area number ofprograms here where I work that integrate well withNDS and allow meto control them through a single management console. I can't imagine being in a large corporation andhaving to createuser logins and passwords multiple times for eachuser. That wouldbe an administration nightmare!Integration with LDAP for usernames and passwords is a great idea, and perhaps even groups of users as I mentioned below. What doesn't make as much sense is handling permissions through LDAP... that's where I think it is more effort than it is worth and doesn't make sense in most organizations... and I've never seen that done.I've seen it at work. We have Canon copiers, tape backup software, and our database software all integrated with Novell's eDirectory (their version of LDAP).Anyways... David - you mentioned integrating OFBiz with LDAP forclients, yet Idon't see any evidence of it in OFBiz. Is there achance you couldshare your insights with me? Do you think it would beworth checkinginto including Apache DS in OFBiz? Like we do withTomcat? I'm not sure of what insights your interested in, but I'm happy to pontificate any time! ;) As for integrating Apache DS in OFBiz, I don't know how useful it would be. If someone is just using OFBiz then it doesn't make sense and makes things harder instead of easier. If someone is deploying OFBiz in a corporate environment and they want to use LDAP, then they should already have an LDAP server around (Novell, Sun, Microsoft, OpenLDAP, Apache DS, or whatever), otherwise again it doesn't make much sense to use. Still, I'd love to hear what others think about this, and if it does make sense and/or is desired, then we might as well go for it!I like the Apache Directory group's take on things: Why write user authentication code for your J2EE application, when you can just plug in an existing library? I guess I'm in their frame of mind - stuff like permissions should be kept in a directory, and the directory should be managed by an open source library.Maybe this idea is too advanced for now - we can come back to it later.I'm glad we finally have LDAP authentication. It makes my job much easier! I'll put the LDAP permissions thing on the shelf.-Adrian
smime.p7s
Description: S/MIME cryptographic signature