[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentification for multiple applications.





--On Tuesday, January 06, 2004 4:53 PM -0500 "Kirk A. Turner-Rustin" <ktrustin@owu.edu> wrote:

On Tue, 6 Jan 2004, Alejandro Leyva Rabinovich wrote:


Hi all, we are developing some applications based on ldap, but we dont know how to give different access to different applications with ldap, here is the problem:

we have two applications, appA and appB, an user is autorized to use
appA  but not appB, how could i get it into ldap?

whats the best way to do that?

If you are truly interested in controlling authorization (as opposed to authentication), one common way is to assign one or more special attributes to each user's LDAP entry that indicate which applications that user is allowed to use, then modify the applications to accept/reject users based on the values (or presence) of those attributes.

Another common way is to create a group for each app by adding LDAP
entries with the groupOfNames or groupOfUniqueNames objectclass,
populate those groups with the dn's of the authorized users, then
have the application check for a the presence of a user's dn in the
appropriate group.

With 2.2.4, you can also now create dynamic groups, which will determine if a user belongs to a group by the existence of attributes in their entry, which is essentially a combination of both these steps.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html