UDS Maverick: Call for Blueprints for Ubuntu Server

[Andreas Hasenack]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2010 10:59 AM, Javier Palacios wrote:
> Yes, the ACLs, because I'm not thinking on a single user with full
> privileges and many users without any privileges.
> 
> Let say, I would like the DNS admins to modify their entries, and the
> "user" administrator to create or modify user entries. That means
> giving any of them only partial privileges. If you use any kind of
> 'proxy' (as phpldapadmin) it must be aware of existing ACL and the
> most sensible way to acomplish that is to let the ldap server evaluate
> them, using direct identification against the ldap server.
> The phpldapadmin I remember (it might have evolved) has a single user
> and wasn't capable to do this.

True. So it's not that phpldapadmin "doesn't work" or "breaks" with
these ACLs, it's just that it bypasses them entirely. So we can say it
doesn't take advantage of them. It's a choice.

Maybe at some point it could work in such a way that it would use the
user's credentials to access the directory instead of the rootdn or some
other proxy user.

I wonder if sasl authorization could be more widely used and how it
could help. It was meant to be used by such proxy agents I believe.

- -- 
Andreas Hasenack
andreas at canonical.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZlJUACgkQeEJZs/PdwpDa5wCfWcacFrHYeq4QScJDGaXUJtIa
kTUAn3rKr9blZnBIYUk6IK5ax1EfFN5u
=2ZWz
-----END PGP SIGNATURE-----