[Owncloud] Heavy LDAP user search
dirk.kastens at uni-osnabrueck.de
Fri Sep 21 11:59:32 UTC 2012
Am 21.09.2012 12:11, schrieb Arthur Schiwon:
> I think there is a misunderstanding. When you want to share a file and the list
> of shared users is supposed to be up to date, then every request will need to
> do a full scan. How else is the software (ownCloud) supposed to know the
> changes? Except your LDAP pushes a notification about it to ownCloud.
I think the main problem is, that owncloud only relies on its own
database. It statically stores ldap user and group data in the tables
oc_ldap_group_mapping, oc_ldap_group_members, and oc_ldap_user_mapping.
And these tables are not up-to-date until you rescan the directoy.
This is a different approach compared to other software products. I
configured, for example, a drupal cms and a system monitoring software
with ldap authentication. The access rights to certain features are
based upon ldap groups. But, in contrast to owncloud, the software
queries the ldap server each time a user tries to access a certain
feature. This way, the access rights are always up-to-date. As soon as I
add a user to an ldap group, the access is granted. And as soon as I
delete a user from a group the access is denied.
That means, as soon as an owncloud user tries to access a file that is
shared upon the members of an ldap group, oc has to make a request to
the ldap server to see if the user is a member of the group. It should
be sufficient to query the group memberships at login time. So they are
valid until the user logs out. If a user is deleted from a group, the
next time he logs in the access to a share will be denied.
I don't know how complicated it is to be implemented, but as other
software works that way, it should be possible.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4827 bytes
Desc: S/MIME Kryptografische Unterschrift
More information about the Owncloud