Auth/Access Question

David R. Fischer fischerdr at softhome.net
Mon Aug 19 13:52:07 UTC 2002


If you would like some help on this project please let me know i would 
really like to see this area expanded with INND.

Sundaram Divya-QDIVYA1 wrote:
> David,
> 
> I am working on a similar approach. The problem is that you 
> will be needing to extend your LDAP schema to store newsgroup 
> access information in a (preferably) multi valued attribute.
> Alternatively, you could use LDAP groups to hold membership
> information. Either approach works passably well for small
> number of people. 
> 
> I have only 50 local newsgroups and 150000 potential subscribers 
> and I ran into performance issues with both approaches in different 
> scenarios. Generally, the attribute method works better and has 
> only a couple of really contrived scenarios where it fails. 
> Unfortunately, those contrived scenarios show up in my informal 
> requirements document.
> 
> You can hold the access information in a flat file or a Berkeley
> DB file if you prefer. This eliminates the performance bottlenecks
> associated with the LDAP Directory that may have limits on the
> types of queries etc. and latency issues - especially if the LDAP
> server is accessed over a WAN link.
> 
> The bottom line is that, although the concept is easy enough, it 
> is not quite as simple as I thought it'd be. And it can get very
> kludgy.
> 
> See the thread titled "NNRP Perl Auth and LDAP Authentication" in
> the archives for a discussion. I am planning on contributing the
> code to the INN folks when I have it working reliably (which I 
> don't yet).
> 
> Authenticating against LDAP is easy - its the access control that
> gets hairy.
> 
> Regards
> 
> Divya Sundaram ----------------------------- CONDITUR IN PETRA
> We don't need more strength, or greater opportunity. What we
> need is to use what we have.                  - BASIL S. WALSH
> ==============================================================
> 
> 
> -----Original Message-----
> From: David R. Fischer [mailto:fischerdr at softhome.net]
> Sent: Monday, August 19, 2002 8:23 AM
> To: Jeffrey M. Vinocur
> Cc: inn-workers at isc.org
> Subject: Re: Auth/Access Question
> 
> 
> 
> 
> 
> 
>>What are you trying to store in LDAP, authentication info (i.e.,
>>passwords), or list of which groups are authorized, or both?
> 
> yes I am Looking to store not only Users and passwords (which I already 
> know how to do, but also what groups the user is authorized in.
> 
> i.e. I have teachers that can post to all the students newsgroups then I 
> have a group for each class year 200, 2001, 2002 ,..., and so on.  Now 
> to hold all the users in one database with the current access system 
> looks like this will not work since the auth system does not go one step 
> further and work with the GID of the users.  If the Gid was users as the 
> group auth system then I could build ACL around the different groups.
> 
> Is this more clear???
> Thanks
> David R. Fischer
> 
> 
> 



More information about the inn-workers mailing list