[Acegisecurity-developer] Quest question about using LDAP

2006-04-15 Thread Ray Krueger 
When using LDAP as an authentication source, where do you guys feel
the ROLEs belong? Should they be managed in LDAP by whatever LDAP
admin is in charge, or should the ROLEs be stored in the application
database and associated to some user table based on the LDAP username?

I thinki it is a design question that could go either way. I just
wanted to get some expert opinions.
-Ray


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Quest question about using LDAP

2006-04-15 Thread Got Milk? 
If your application has only URI or remote services security, I would agree that LDAP should faciliate both providing your application with authentication information and your user ROLES. I think with the classes that Acegi has for LDAP, this makes  ROLE lookups easy and straight forward. The downside is that if you are constantly adding users and granting Roles to them, your LDAP admin may not like you very much. 
As for Domain Object security, this requires more of a RDBMS type structure, you may want to consider moving your Users and Roles to a centralized location, which would not make LDAP a good solution. 
On 4/15/06, Ray Krueger <[EMAIL PROTECTED]> wrote:
When using LDAP as an authentication source, where do you guys feelthe ROLEs belong? Should they be managed in LDAP by whatever LDAPadmin is in charge, or should the ROLEs be stored in the applicationdatabase and associated to some user table based on the LDAP username?
I thinki it is a design question that could go either way. I justwanted to get some expert opinions.-Ray---This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcastand join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642___Home: http://acegisecurity.orgAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Quest question about using LDAP

2006-04-15 Thread Luke Taylor 
Hi Ray,

Not sure about that I guess if the roles are based on some sort of
organization structure (departments, job titles etc.) then the directory
would be an obvious place for that information. If it's more
app-specific then it's less obvious. Depends on what access you have to
the system too - you can store just about anything in LDAP, so I don't
see anything philosophically wrong with putting app-specific info in
there. On the other hand, if the app is using a separate database then
that may be the obvious place to store the roles, while still allowing
centralized management of user accounts and login info for multiple
uses. I don't think there's a definite answer either way...

By the way, we're planning to move the non-security specific LDAP stuff
out of provider package, and using an org.acegisecurity.ldap package
instead. Just to let you know :)

cheers,

Luke.



Ray Krueger wrote:
> When using LDAP as an authentication source, where do you guys feel
> the ROLEs belong? Should they be managed in LDAP by whatever LDAP
> admin is in charge, or should the ROLEs be stored in the application
> database and associated to some user table based on the LDAP username?
> 
> I thinki it is a design question that could go either way. I just
> wanted to get some expert opinions.
> -Ray
> 
> 


-- 
 Luke Taylor.  Monkey Machine Ltd.
 PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer