On Mon, 12 Jan 2004, Sven Brandenburg wrote:

> i still have to assign file ACLs within coda and thus have two separate
> user databases.
>
> Is there any hope of storing ACLs in kerberos/LDAP ?

Hello Sven,

the user database and the acls are very distinct logically and maintained
very differently.

A user database is mostly a list of known identities (numbered and/or
named, it does not matter in general - currently it maps names to numeric
ids and vice versa, but it does not _have_ to).
Its logical role is to be sure there is a unique entity corresponding to a
name or a number, reserve the corresponding id, essentially nothing else.
This database is maintained per realm. Potentially it could be even
absent!

Authentication is outside of this role and can be done by external means
like Kerberos.

In contrast to the above, ACLs are essential for granting access
rights. They are per-object (per directory in Coda case) and are
maintained where all the file metainformation is kept, in the file
server's RVM.

ACLs are not implemented as a
"list of objects and rights associated with a given _user_id_",
but instead as a
"list of ids and rights associated with a given _object_".

With other words, it is not easy to place them differently (though
of course possible, in general).

Think also that Kerberos is in no way a "database" more than it has a list
of strings and means to prove that somebody knows a secret associated with
a given one of those strings.
There is no place for any extra information there.
(unlike, say, DCE  - but it is where it differs from Kerberos).

Hope that helps.

Best regards,
--
Ivan