Shawn McKinney wrote: > Why use ACL’s for fine-grained authZ? > > It’s drawbacks, > - Not standard / LDAPv3 server lock-in (might not be a problem for you) > - difficult to maintain and test (complex)
You have both of these issues for every non-trivial access control system. Especially you need automated tests. > To determine if necessary another question - how are your > applications interacting with the directory. Are they connecting > using LDAPv3 operations (like search and bind), or is there are > higher level abstraction in place, (like mod_authnz_ldap)? That's the real question: Does the end-user ever impersonate directly on the LDAP connection (optionally via a web application). Ciao, Michael.
