- administrating groups (creation, modification, deletion)
- the editing rights (JavaClient -> Extras -> Rights)
do not allow a direct LDAP read-browsing - no, they just maintain local FirstSpirit user/group objects. This should be changed, to allow a central storage and to prevent duplication.
So, the current FirstSpirit LDAP solution guarantees just LDAP authentication but no LDAP authorization.
When comparing with other LDAP solutions like "mod_auth_ldap" in Apache or "pam_ldap" in Linux, users never will be created physically on the corresponding system environment - due to the above mentioned side-effects.
- allow assigning FirstSpirit projects one or more configured LDAP connection configuration
- offer a solution where FirstSpirit users/groups are really maintained centrally
- prevent storing users/groups offered via LDAP in FirstSpirit directly
- enhance the user/group administration dialog boxes within FirstSpirit to allow browsing and mainting the central LDAP
- enhance the FirstSpirit rights dialog in JavaClient to allow browsing the LDAP target system and assigning (FirstSpirit) users/groups out of LDAP