Agreed on keeping auth and auth separately pluggable concerns. RADIUS and LDAP are also what I would like for authentication. We'd probably be OK with even an internal authorization system, since that's what our other management apps use.
-- O On Mar 2, 2011, at 5:01 PM, Frank Sweetser <f...@wpi.edu> wrote: > On 3/2/2011 7:42 PM, Randall Hansen wrote: >> On Mar 2, 2011, at 3:51 PM, Frank Sweetser wrote: >> >>> In this scenario, it would be far more useful to simply use LDAP to verify >>> usernames and passwords, and then consult internal records to assign a list >>> of roles. >> >> This is a great use case, Frank. What do you mean by "internal records" in >> this context? Dashboard itself? Or another service at your site? > > Originally I was thinking of within Dashboard, though of course some sites > might find it more useful to have it in some other service. Use a central > RADIUS server for authentication, and then a departmental LDAP server for > role assignment, or a few records within Dashboard for small sites (here, for > example, we'd only have three or four Dashboard users to manage). > > In the more flexible products I've used, you basically define a list of AAA > servers, which can typically be RADIUS, LDAP or something internal to the > application (obviously other things like an RSA token would also be > applicable). You then get to pick a server for authentication, and one for > authorization, independently of each other. That way, sites can easily set > things up however works best for them, usually based on political boundaries > as much as technical ones. > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
