[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie: Design Issues

To: sgv - <sgv18104@yahoo.com>
Subject: Re: Newbie: Design Issues
From: Tony Bibbs <tony@tonybibbs.com>
Date: 11 Jan 2002 16:14:41 -0600
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20020111212520.59961.qmail@web14404.mail.yahoo.com>
References: <20020111212520.59961.qmail@web14404.mail.yahoo.com>

I'd create a new .schema file that has all your said attributes (user
id, password, req1, req2, req3, req4).  Then at the end of that file you
would have two objectclasses.  The first would be for Application A and
would have userid, password, req1 and req2 and required attributes
(MUST) and req3 and req4 as optional (MAY).  The second for Application
B would have userid, password, req3 and req4 as required (MUST) and req1
and req2 as optional (MAY).  Depending on the specifics, you may want to
create a 3rd object class that requires all of them (not sure if what
your business requirements are).

Remember, LDAP is a mechanism for storing data (attributes)...not
logic.  If you use what I recommend here you would need to code the
application logic to figure out how to do the LDAP interactions.

Now if you want to implement a hierarchical security model using LDAP,
that would require a much more complex set of attributes and
objectclasses.

-Tony

On Fri, 2002-01-11 at 15:25, sgv - wrote:
> 
>   We want to build a ldap directory structure that
> accomodates our application requirements. Given below
> is an analogy of the problem we want to resolve
>    Suppose an application A has attributes userid,
> password, required1, required2 amd application B has
> attributes userid, password, required3, required4. A
> user may have access to one or both applications. How
> do we design the LDAP directory structure to
> accomodate the described scenario.
>   One of the ways that can be done is to have a
> separte directory for each application and add the
> user entry in each one of them. But is it possible to
> have a single directory where we could add user
> entries that somehow specify that 
> i) the user has access to the various applications.
> ii) Only provide values for the applications that
> he/she has access. For example, if John Doe has access
> to application A but not for application B, then John
> Doe needs to have attributes for required1 and
> required2 but not for required3 & required4. To be
> more specific, we do not want to add all the
> attributes possible for all the appliations and then
> blank out the values of the attributes that do not
> correspond to the user. Is there a way to get only the
> attributes that are accessed by the application.
> 
>    
>    Sorry if I have confused you but any suggestions
> would be helpful. Thanks for your help.
> 
> SGV
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/

References:
- Newbie: Design Issues
  - From: sgv - <sgv18104@yahoo.com>

Prev by Date: Newbie: Design Issues
Next by Date: Help with 'index attribute "objectClass" undefined'
Index(es):
- Chronological
- Thread