Re: How to Restrict user authentication per application?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some people already said that but just want to give my 2c.


> - Some application are not using filters along with bind, to control
> user login - for some reasons (e.g. not having the capability, are
> not designed to get user list, or they do not have need to keep
> things about Users, or you can't count on applications be reliable
> in accessing the directory correctly but you need control things
> centrally)
>

Is not the job of 389DS to solve architecture flaws or bad designed apps.
if an app don't have any AUTHORISATION capabilites either you put a proxy in front and let only the proxy access directly to the app, or you can't really filter who can log in.
any modern network oriented app has some kind of authorisation so we're probably talking about legacy or niche apps.


> - LDAP Should be able to protect itself, and have more mature
> policies in Access Control, even for bind operation. For example;
> Think of an environment which a system or application is
> compromised, or has malware, or something like those. In that
> situation we should be able to protect directory with at least bind
> operation ACL, and if possible with more mature access policies.
>

you can say that about any database oriented app, if mysql/oracle/postgres is compromised I don't think authorisation is the biggest of your problems.


and in general I think is a bad idea to transfer app logic to directory/database. from my experience you lose control with little benefit.
maybe you should take a look at CAS or OpenAM to address those problems.


abosch
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux