Auth/Access Question
David R. Fischer
fischerdr at softhome.net
Mon Aug 19 13:52:07 UTC 2002
If you would like some help on this project please let me know i would
really like to see this area expanded with INND.
Sundaram Divya-QDIVYA1 wrote:
> David,
>
> I am working on a similar approach. The problem is that you
> will be needing to extend your LDAP schema to store newsgroup
> access information in a (preferably) multi valued attribute.
> Alternatively, you could use LDAP groups to hold membership
> information. Either approach works passably well for small
> number of people.
>
> I have only 50 local newsgroups and 150000 potential subscribers
> and I ran into performance issues with both approaches in different
> scenarios. Generally, the attribute method works better and has
> only a couple of really contrived scenarios where it fails.
> Unfortunately, those contrived scenarios show up in my informal
> requirements document.
>
> You can hold the access information in a flat file or a Berkeley
> DB file if you prefer. This eliminates the performance bottlenecks
> associated with the LDAP Directory that may have limits on the
> types of queries etc. and latency issues - especially if the LDAP
> server is accessed over a WAN link.
>
> The bottom line is that, although the concept is easy enough, it
> is not quite as simple as I thought it'd be. And it can get very
> kludgy.
>
> See the thread titled "NNRP Perl Auth and LDAP Authentication" in
> the archives for a discussion. I am planning on contributing the
> code to the INN folks when I have it working reliably (which I
> don't yet).
>
> Authenticating against LDAP is easy - its the access control that
> gets hairy.
>
> Regards
>
> Divya Sundaram ----------------------------- CONDITUR IN PETRA
> We don't need more strength, or greater opportunity. What we
> need is to use what we have. - BASIL S. WALSH
> ==============================================================
>
>
> -----Original Message-----
> From: David R. Fischer [mailto:fischerdr at softhome.net]
> Sent: Monday, August 19, 2002 8:23 AM
> To: Jeffrey M. Vinocur
> Cc: inn-workers at isc.org
> Subject: Re: Auth/Access Question
>
>
>
>
>
>
>>What are you trying to store in LDAP, authentication info (i.e.,
>>passwords), or list of which groups are authorized, or both?
>
> yes I am Looking to store not only Users and passwords (which I already
> know how to do, but also what groups the user is authorized in.
>
> i.e. I have teachers that can post to all the students newsgroups then I
> have a group for each class year 200, 2001, 2002 ,..., and so on. Now
> to hold all the users in one database with the current access system
> looks like this will not work since the auth system does not go one step
> further and work with the GID of the users. If the Gid was users as the
> group auth system then I could build ACL around the different groups.
>
> Is this more clear???
> Thanks
> David R. Fischer
>
>
>
More information about the inn-workers
mailing list