[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using LDAP to describe permissions

To: "'Kent Wang'" <kwang@kwang.org>, <openldap-software@OpenLDAP.org>
Subject: RE: Using LDAP to describe permissions
From: "Howard Chu" <hyc@symas.com>
Date: Sun, 9 Nov 2003 14:33:25 -0800
Importance: Normal
In-reply-to: <004701c3a6ee$c95d7b80$c800a8c0@eclipse>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kent Wang

> From what I understand, Microsoft's Active Directory is
> really an LDAP
> solution combined with Kerberos. I'm interested in building a similar
> system for PHP applications for a corporate intranet.

It's more than that. A more encompassing description might be it's a
Microsoft implementation of OSF DCE, using LDAP instead of X.500 for the DCE
directory service. But even that doesn't describe it fully...

> However, I'm not sure how to use LDAP to describe complex permissions
> schemes. I would like to have as fine-grained control as Active
> Directory has: every object (file, directory) can be specified to have
> read/write/delete/admin/etc permission to any set of groups or single
> users.

LDAP is a generic data store. When you have designed your permission scheme
and codified it, the details of how to store its representation in LDAP
should become pretty obvious.

> It makes sense for me to use LDAP as a phone book, but I'm not sure how
> to describe permissions; it doesn't seem intuitive to put it in a tree
> structure.

Perhaps you should go look at other distributed single-image system designs
for inspiration. E.g., AFS, DCE, Apollo DOMAIN. One of the fundamental
principles of the Unix operating system is that every object can be
manipulated by opening a name in the filesystem and obtaining a file
descriptor through which the object can be accessed. The Unix filesystem is
hierarchical, therefore every object resides somewhere in a hierarchy. The
Windows operating system copies this concept.

> How does Active Directory do it?

That's a question for a Microsoft discussion forum, not OpenLDAP-Software.

> How should I do it? I could use LDAP to
> store all the account information and put the permissions in a MySQL
> database.

Why implement two very different data access methodologies when you could use
just one? If you understand SQL and you see a way to structure the permission
data satisfactorily using SQL, and you don't know LDAP, then you're probably
better off just using SQL. If you're interested in using LDAP, then just use
LDAP, period.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: Using LDAP to describe permissions
  - From: "Kent Wang" <kwang@kwang.org>

References:
- Using LDAP to describe permissions
  - From: "Kent Wang" <kwang@kwang.org>

Prev by Date: Re: Searches failing weird
Next by Date: Search filter wackyness
Index(es):
- Chronological
- Thread