On 3/2/2011 7:42 PM, Randall Hansen wrote:
On Mar 2, 2011, at 3:51 PM, Frank Sweetser wrote:
In this scenario, it would be far more useful to simply use LDAP to verify
usernames and passwords, and then consult internal records to assign a list
of roles.
This is a great use case, Frank. What do you mean by "internal records" in
this context? Dashboard itself? Or another service at your site?
Originally I was thinking of within Dashboard, though of course some sites might
find it more useful to have it in some other service. Use a central RADIUS
server for authentication, and then a departmental LDAP server for role
assignment, or a few records within Dashboard for small sites (here, for
example, we'd only have three or four Dashboard users to manage).
In the more flexible products I've used, you basically define a list of AAA
servers, which can typically be RADIUS, LDAP or something internal to the
application (obviously other things like an RSA token would also be applicable).
You then get to pick a server for authentication, and one for authorization,
independently of each other. That way, sites can easily set things up however
works best for them, usually based on political boundaries as much as technical
ones.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
