(Illustration by Gaich Muramatsu)
On Mon, 12 Jan 2004, Sven Brandenburg wrote: > i still have to assign file ACLs within coda and thus have two separate > user databases. > > Is there any hope of storing ACLs in kerberos/LDAP ? Hello Sven, the user database and the acls are very distinct logically and maintained very differently. A user database is mostly a list of known identities (numbered and/or named, it does not matter in general - currently it maps names to numeric ids and vice versa, but it does not _have_ to). Its logical role is to be sure there is a unique entity corresponding to a name or a number, reserve the corresponding id, essentially nothing else. This database is maintained per realm. Potentially it could be even absent! Authentication is outside of this role and can be done by external means like Kerberos. In contrast to the above, ACLs are essential for granting access rights. They are per-object (per directory in Coda case) and are maintained where all the file metainformation is kept, in the file server's RVM. ACLs are not implemented as a "list of objects and rights associated with a given _user_id_", but instead as a "list of ids and rights associated with a given _object_". With other words, it is not easy to place them differently (though of course possible, in general). Think also that Kerberos is in no way a "database" more than it has a list of strings and means to prove that somebody knows a secret associated with a given one of those strings. There is no place for any extra information there. (unlike, say, DCE - but it is where it differs from Kerberos). Hope that helps. Best regards, -- IvanReceived on 2004-01-12 11:07:23