Peter Donald wrote:
>
> At 03:07 18/9/00 +0100, you wrote:
> >> * In code below you check a password by logging as a principle - why don't
> >> you just log in as super-user (cached connection) and read the password and
> >> compare ?
> >
> >I'm not convinced that reading passwords is a good idea. Additionally, I
> >did try it and if I remember right, James needs to know how the password
> >is stored in the directory (eg plain text, crypt, SHA etc) I don't think
> >apps should know that sort of detail. What happens here is, effectively,
> >an LDAP bind, which i think is the right way to test a password.
>
> but doesn't that mean more users are allowed access to LDAP server - ie
> joe-bloe could easily walk in and do stuff ? I know you can lock it down so
> no modifies are possible but as far as I am aware you are not allowed to
> block on object level? I doubt this sorta policy would be allowable in some
> situations - not sure (as I said LDAP weenie :P)
I believe there is not yet a standard for LDAP ACL(RFC2080 of May this
year is informational) but both OpenLDAP and, I believe, Netscape
Directory Server, allow multiple per attribute of an object, per actor,
access level controls. (What, who, how). So, as far as I can see, you
could allow anyone to attempt to authenticate to the directory (ie bind)
but not grant authenticated users any rights. Would that solve this
issue?
What I had in mind for my uses, I'd probably allow users to change their
own passwords and contact details but not their mailquota, and to be
able to see only selected attributes of other users.
>
> >> * Isn't the below code really slow if you say have users in the vacinity of
> >> 3000 or so ? If so is there anyway in LDAP to get around it ? Is there
> >> anyway countUsers can be deprecated as a required method as it seems
> >> incredibly expensive ? Perhaps by returning an Iterator ?
> >
> >countUsers is in purely because it was a method in the Fede's file
> >implementation. I was trying, as far as possible, not to alter the
> >interface.
>
> ahh :P
>
> >I haven't done any scale tests so I couldn't say how slow or fast this
> >would be. Open to suggestions, though. But I'm not sure I'd want 3,000
> >users on one instance, anyway.
>
> well sure you do - if the mail server is acting as a gateway or relay and
> doesn't store any mail on the machine. Many machines who do present as a
> store (ie implement POP3/IMAP4r3) actually keep store on other machines and
> read it across network when a user requests it. This is based on details of
> how all the unis around here works so YMMV but it doesn't seem rare - not
> even an uncommon demand.
But if its acting as a gateway or relay, do you need or would you use
countUsers?
Similarly, if several machines are handling the POP3/IMAP connections
with a seperate store, would you need or use countUsers?
countUsers is only called by RemoteManager, I think, so if you can think
of a faster method, go for it, but otherwise, I suspect it is fine for
small installations and would not be used in large ones.
Charles
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives: <http://www.mail-archive.com/james%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
