Peter Donald wrote:
>
> At 09:56 19/9/00 +0100, you wrote:
> >I believe there is not yet a standard for LDAP ACL(RFC2080 of May this
> >year is informational) but both OpenLDAP and, I believe, Netscape
> >Directory Server, allow multiple per attribute of an object, per actor,
> >access level controls. (What, who, how). So, as far as I can see, you
> >could allow anyone to attempt to authenticate to the directory (ie bind)
> >but not grant authenticated users any rights. Would that solve this
> >issue?
>
> yep :P.
>
> Does it cost anything more thou ? I have NFI :P
In performance terms? Don't know.
>
> >What I had in mind for my uses, I'd probably allow users to change their
> >own passwords and contact details but not their mailquota, and to be
> >able to see only selected attributes of other users.
>
> okay - I just had a discussion with the guy who is designing LDAP directory
> for a large university and he has had a lot of problems with users altering
> stuff they shouldn't. ie Many people seemed to love to change their names
> to Superman/Wonderwoman etc and a lot of people changed theor
> organisational unit so that they existed in a more prestigious group. While
> user editing stuff can be good they ended up only allowing two changes
> first name and phone number. The rest led to chaos (even of supposed
> professionals who administer the uni).
Handy hint. I agree that you have to be careful about what you let
people change.
>
> >> >I haven't done any scale tests so I couldn't say how slow or fast this
> >> >would be. Open to suggestions, though. But I'm not sure I'd want 3,000
> >> >users on one instance, anyway.
> >>
> >> well sure you do - if the mail server is acting as a gateway or relay and
> >> doesn't store any mail on the machine. Many machines who do present as a
> >> store (ie implement POP3/IMAP4r3) actually keep store on other machines and
> >> read it across network when a user requests it. This is based on details of
> >> how all the unis around here works so YMMV but it doesn't seem rare - not
> >> even an uncommon demand.
> >
> >But if its acting as a gateway or relay, do you need or would you use
> >countUsers?
> >Similarly, if several machines are handling the POP3/IMAP connections
> >with a seperate store, would you need or use countUsers?
> >
> >countUsers is only called by RemoteManager, I think, so if you can think
> >of a faster method, go for it, but otherwise, I suspect it is fine for
> >small installations and would not be used in large ones.
>
> personally I would remove the whole damn method :P. I think we did the same
> with repository (that used to have something similar) as that could cause
> problems when you store 32000 items in repository etc.
>
> My recomendation would be to remove it or else replace it with an Iterator.
> That way you could either contyrol the cost (Iterator) or have 0 cost. YMMV
> thou.
I'll take a look.
Charles
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives: <http://www.mail-archive.com/james%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
