When using LDAP as an authentication source, where do you guys feel
the ROLEs belong? Should they be managed in LDAP by whatever LDAP
admin is in charge, or should the ROLEs be stored in the application
database and associated to some user table based on the LDAP username?
I thinki it is a design
If your application has only URI or remote services security, I would agree that LDAP should faciliate both providing your application with authentication information and your user ROLES. I think with the classes that Acegi has for LDAP, this makes ROLE lookups easy and straight forward. The
