----- Original Message ---- From: Ralph Rößner <[EMAIL PROTECTED]> >There are many things to consider, and it is difficult to advise you >without knowing your situation. You want to authenticate people >accessing your LDAP. Do these people already have accounts in your >system (i.e. for shell access)? Do you want to reuse these accounts? If >so then where do these accounts reside, e.g. passwd file, kerberos, ...?
Their accounts will be established through a Plone (Zope) site I'm building. That's scenario #1. Scenario #2 has *no* accounts except for my own. In that scenario, I'm simply accessing data and spitting it out. Actually, there are two sub-scenarios here: (a) where a request comes in for Web page, I translate the request to something that corresponds to my document tree. The reason for this is because certain SEs don't like deep doc trees, but a deep doc tree is necessary for organizational purposes in my case. So I want to assign a number to each doc, have that published to the outside world for the sake of the SEs, then translate it internally to fetch the document; (b) Many of the documents reference other outside docs in a standard manner. These references are framed in tables, with unvarying structure. Because I continually add such references, I don't want to end up with docs that are hundreds of thousands of bytes. So, I want to automate that when the number referenced in a given doc reaches a certain point, say 20, that the doc selects only the newest (or most recently added) and displays them, with a second generated page to click to the next 20, etc. I could do that in MySQL, but LDAP seems like the more logical choice, since, once entered, the data will not be changed. >Do you need authentication realms, i.e. separate namespaces for users, >so [EMAIL PROTECTED] is considered different from [EMAIL PROTECTED] Do you need >proxy authorization, e.g. userA needs the access rights of userB when >userB is on vacation, or userA and userB share a responsibility and you >want to set up a role account that both have access to? Do you need >challenge-response authentication or are you ok with plain passwords >over a TLS secured connection? In other words, do you need the SASL >features at all? Of the above, I dislike plain passwords for pretty obvious security reasons. That is the only reason I want SASL. >You may have to consider the access rules you want to enforce. The use >of roles accounts, for example, ties into the proxy auth question above. >A simple "super user may write, authenticated user may read, others may >nothing (except authenticate)" scheme, on the other hands, requires no >"SASL special" features to implement. All users in scenario #1 will have the ability to update their password, edit their other information. >Tons of questions, see? Yes :) >You can only choose a SASL (or even a non-SASL) setup when you have >decided on some answers. I appreciate your help ;) TIA, Rachel ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
