Auth/Access Question

Sundaram Divya-QDIVYA1 Divya.Sundaram at motorola.com
Mon Aug 19 13:38:28 UTC 2002


David,

I am working on a similar approach. The problem is that you 
will be needing to extend your LDAP schema to store newsgroup 
access information in a (preferably) multi valued attribute.
Alternatively, you could use LDAP groups to hold membership
information. Either approach works passably well for small
number of people. 

I have only 50 local newsgroups and 150000 potential subscribers 
and I ran into performance issues with both approaches in different 
scenarios. Generally, the attribute method works better and has 
only a couple of really contrived scenarios where it fails. 
Unfortunately, those contrived scenarios show up in my informal 
requirements document.

You can hold the access information in a flat file or a Berkeley
DB file if you prefer. This eliminates the performance bottlenecks
associated with the LDAP Directory that may have limits on the
types of queries etc. and latency issues - especially if the LDAP
server is accessed over a WAN link.

The bottom line is that, although the concept is easy enough, it 
is not quite as simple as I thought it'd be. And it can get very
kludgy.

See the thread titled "NNRP Perl Auth and LDAP Authentication" in
the archives for a discussion. I am planning on contributing the
code to the INN folks when I have it working reliably (which I 
don't yet).

Authenticating against LDAP is easy - its the access control that
gets hairy.

Regards

Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have.                  - BASIL S. WALSH
==============================================================


-----Original Message-----
From: David R. Fischer [mailto:fischerdr at softhome.net]
Sent: Monday, August 19, 2002 8:23 AM
To: Jeffrey M. Vinocur
Cc: inn-workers at isc.org
Subject: Re: Auth/Access Question





> What are you trying to store in LDAP, authentication info (i.e.,
> passwords), or list of which groups are authorized, or both?
yes I am Looking to store not only Users and passwords (which I already 
know how to do, but also what groups the user is authorized in.

i.e. I have teachers that can post to all the students newsgroups then I 
have a group for each class year 200, 2001, 2002 ,..., and so on.  Now 
to hold all the users in one database with the current access system 
looks like this will not work since the auth system does not go one step 
further and work with the GID of the users.  If the Gid was users as the 
group auth system then I could build ACL around the different groups.

Is this more clear???
Thanks
David R. Fischer



More information about the inn-workers mailing list