Chemolli Francesco (USI) wrote:
> I am quite ambivalent on this, so I'll try to think in terms of
> implementation. The problem is WHEN we determine that an user
> is part of a group. You seem to imply that it should be
> externally driven (i.e. at reconfiguration). I'd rather do it lazily.
As you may have seen from my previous message, I have somewhat changed
my mind. auth groups should be separate from "non-auth groups".
For auth groups, no separate group definitions are required. Simply
cache the group memberships returned by the helper in the users auth
cache entry, and for speed of lookup maintain a group->user index.
There is no ambigouity on when a user is member of a auth group or not.
The user is member of the groups last returned by the auth helper.
In addition to this, we also need a more flexible mechanism for external
ACL's. See my reply to Robert.
-- HenrikReceived on Thu Jul 05 2001 - 03:40:45 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST