Perl-Sensitive Sunglasses | |
PerlMonks |
Access control problemby gildir (Pilgrim) |
on Dec 20, 2001 at 13:47 UTC ( [id://133439]=perlquestion: print w/replies, xml ) | Need Help?? |
gildir has asked for the wisdom of the Perl Monks concerning the following question:
Fellow monks,
I have build a cute application that use persistent objects stored in LDAP or RDMS. It works great, but I have realized soon that I need some sort of controled access to these objects. Not everyone should change user's password, heh? Well, User can change it own password, but not other user's password. The simplest way to implement this is at the perl level, just add authorization checks to object persistence layer. When using inheritance the right way it is very elegant solution. But ... I want to access LDAP object from other environments, not just this simple perl program. I want access controled on the LDAP(/database) level as well. LDAP server has its ACLs. But no two LDAP server products has the ACLs the same. What can I do here to make access control unified? Access control on LDAP side only is no solution, even if some general way of expresing LDAP ACLs existed. I want 'change password' button displayed only if user can change his password and I cannot check (by actualy changing the passeword) every time with LDAP for this. It would be huge overhead at the very least. And maintaining the ACLs in (possibly many) LDAP servers consistent with perl authorization routines will be real nuisance or it will get impossible at all when the system gets larger. So, how can one poor monk get out of this confusion? Any sugestion appreciated.
Back to
Seekers of Perl Wisdom
|
|