Re: Discussion: OFBiz Security Refactor

Sat, 21 Jun 2008 05:55:56 -0700

+1 on the LDAP authentication Adrian - BIG WIN all the way around. As for permission - I've been a part of this many times - everyone wants to do what you're describing when the idea first hits the group - then they test and start looking at their enterprise and let the actual applications handle authorization. Just my two cents. 

Cheers,
Tim
--
Tim Ruppert
HotWax Media
http://www.hotwaxmedia.com

o:801.649.6594
f:801.649.6595


On Jun 20, 2008, at 7:39 PM, Adrian Crum wrote:


From: David E Jones <[EMAIL PROTECTED]>
Subject: Re: Discussion: OFBiz Security Refactor
To: dev@ofbiz.apache.org
Date: Friday, June 20, 2008, 2:42 PM
On Jun 20, 2008, at 8:30 AM, Adrian Crum wrote:


I don't agree that attempting to control OFBiz

user permissions

through a management application is useless. There are

a number of

programs here where I work that integrate well with

NDS and allow me

to control them through a single management console.

I can't imagine being in a large corporation and

having to create

user logins and passwords multiple times for each

user. That would

be an administration nightmare!


Integration with LDAP for usernames and passwords is a
great idea, and
perhaps even groups of users as I mentioned below.

What doesn't make as much sense is handling permissions
through
LDAP... that's where I think it is more effort than it
is worth and
doesn't make sense in most organizations... and
I've never seen that
done.
I've seen it at work. We have Canon copiers, tape backup software, and our database software all integrated with Novell's eDirectory (their version of LDAP). 


Anyways...

David - you mentioned integrating OFBiz with LDAP for

clients, yet I

don't see any evidence of it in OFBiz. Is there a

chance you could

share your insights with me? Do you think it would be

worth checking

into including Apache DS in OFBiz? Like we do with

Tomcat?

I'm not sure of what insights your interested in, but
I'm happy to
pontificate any time! ;)

As for integrating Apache DS in OFBiz, I don't know how
useful it
would be. If someone is just using OFBiz then it
doesn't make sense
and makes things harder instead of easier. If someone is
deploying
OFBiz in a corporate environment and they want to use LDAP,
then they
should already have an LDAP server around (Novell, Sun,
Microsoft,
OpenLDAP, Apache DS, or whatever), otherwise again it
doesn't make
much sense to use.

Still, I'd love to hear what others think about this,
and if it does
make sense and/or is desired, then we might as well go for
it!
I like the Apache Directory group's take on things: Why write user authentication code for your J2EE application, when you can just plug in an existing library? I guess I'm in their frame of mind - stuff like permissions should be kept in a directory, and the directory should be managed by an open source library.
Maybe this idea is too advanced for now - we can come back to it later.
I'm glad we finally have LDAP authentication. It makes my job much easier! I'll put the LDAP permissions thing on the shelf. 

-Adrian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to