Some people already said that but just want to give my 2c. > - Some application are not using filters along with bind, to control > user login - for some reasons (e.g. not having the capability, are > not designed to get user list, or they do not have need to keep > things about Users, or you can't count on applications be reliable > in accessing the directory correctly but you need control things > centrally) > Is not the job of 389DS to solve architecture flaws or bad designed apps. if an app don't have any AUTHORISATION capabilites either you put a proxy in front and let only the proxy access directly to the app, or you can't really filter who can log in. any modern network oriented app has some kind of authorisation so we're probably talking about legacy or niche apps. > - LDAP Should be able to protect itself, and have more mature > policies in Access Control, even for bind operation. For example; > Think of an environment which a system or application is > compromised, or has malware, or something like those. In that > situation we should be able to protect directory with at least bind > operation ACL, and if possible with more mature access policies. > you can say that about any database oriented app, if mysql/oracle/postgres is compromised I don't think authorisation is the biggest of your problems. and in general I think is a bad idea to transfer app logic to directory/database. from my experience you lose control with little benefit. maybe you should take a look at CAS or OpenAM to address those problems. abosch _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx