Auth/Access Question
Sundaram Divya-QDIVYA1
Divya.Sundaram at motorola.com
Mon Aug 19 13:38:28 UTC 2002
David,
I am working on a similar approach. The problem is that you
will be needing to extend your LDAP schema to store newsgroup
access information in a (preferably) multi valued attribute.
Alternatively, you could use LDAP groups to hold membership
information. Either approach works passably well for small
number of people.
I have only 50 local newsgroups and 150000 potential subscribers
and I ran into performance issues with both approaches in different
scenarios. Generally, the attribute method works better and has
only a couple of really contrived scenarios where it fails.
Unfortunately, those contrived scenarios show up in my informal
requirements document.
You can hold the access information in a flat file or a Berkeley
DB file if you prefer. This eliminates the performance bottlenecks
associated with the LDAP Directory that may have limits on the
types of queries etc. and latency issues - especially if the LDAP
server is accessed over a WAN link.
The bottom line is that, although the concept is easy enough, it
is not quite as simple as I thought it'd be. And it can get very
kludgy.
See the thread titled "NNRP Perl Auth and LDAP Authentication" in
the archives for a discussion. I am planning on contributing the
code to the INN folks when I have it working reliably (which I
don't yet).
Authenticating against LDAP is easy - its the access control that
gets hairy.
Regards
Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have. - BASIL S. WALSH
==============================================================
-----Original Message-----
From: David R. Fischer [mailto:fischerdr at softhome.net]
Sent: Monday, August 19, 2002 8:23 AM
To: Jeffrey M. Vinocur
Cc: inn-workers at isc.org
Subject: Re: Auth/Access Question
> What are you trying to store in LDAP, authentication info (i.e.,
> passwords), or list of which groups are authorized, or both?
yes I am Looking to store not only Users and passwords (which I already
know how to do, but also what groups the user is authorized in.
i.e. I have teachers that can post to all the students newsgroups then I
have a group for each class year 200, 2001, 2002 ,..., and so on. Now
to hold all the users in one database with the current access system
looks like this will not work since the auth system does not go one step
further and work with the GID of the users. If the Gid was users as the
group auth system then I could build ACL around the different groups.
Is this more clear???
Thanks
David R. Fischer
More information about the inn-workers
mailing list