[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using LDAP for Auth & Access Control?

To: starling@westel.net
Subject: Re: Using LDAP for Auth & Access Control?
From: mark@mjwilcox.com
Date: Sun, 12 Dec 1999 16:41:48 -0600
Cc: openldap-general@OpenLDAP.org
In-reply-to: <19991130235200.AAA20259@misbase.harte-hanks.com>

Hi,
I don't know of anything definite on-line, but this topic is covered 
both in my book, "Implementing LDAP" and "Understanding and 
Deploying LDAP Directory Services" by Tim Howes, et al.

I do have a brief article on the subject at 
http://developer.iplanet.com/viewsource/ (I think we titled the article 
"Straight Talk on Security", I write the LDAP Heavyweight collumn 
for Netscape ViewSource).

Also I would suggest poking around in the LDAP modules for 
Apache with mod_perl. 

I'm also be talking about this at ApacheCon 2000 (presentation 
should be online when the conference rolls around in March). 

Typically what people do when using LDAP for something like this 
is to use LDAP for authentication (which is easy/trivial to do). 

The hard part is management of authorization information. 
Authentication simply tells you that a particular set of credentials 
provided by a client matched the same credentials in your LDAP 
server (which is what happens in any authentication system). You 
assume that since these credentials should only be able to be 
provided by a particular person, then the application is 
"authenticated" as that user.

Authorization means what can that user do now that they have 
authenticated. 

You could authorize access based on group membership, where 
the user's entry lies in the DIT, time of day, gender, an attribute in 
their entry or a number of different routes.

So to be honest what you probably want to do is to use an existing 
authentication service such as Kerberos (which already provides a 
standardized means of providing authorization services) and use a 
directory service to feed the user & application data to Kerberos.

just my thoughts.

Mark

On 30 Nov 99, at 18:03, Chris Starling wrote:

> 
> I'm needing to develop a fairly flexible authentication and access 
> control scheme for a client/server type of application.  I began my 
> research for a solution being inspired by Netware's NDS, having 
> had a very minor amount of experience with it.  I mentioned this to 
> a friend who said I should look into LDAP for storing user access 
> information and I realized the World of Directory Services.
> 
> Now, I'm struggling trying to assimilate all this LDAP information 
> I'm reading online into my RDBMS-oriented brain.  And I'm 
> wondering:
> 
> Is there a good example or case study available online that 
> illustrates the use of LDAP for a authentication & access control 
> implementation?
> 
> 
> I'm reading the mailing list archives and searching the web, but I 
> have yet to find a good example that will really help me understand 
> how to adapt LDAP's objects for this application.  If there's a book 
> with this information in it, I'd be interested to hear about it as well.
> 
> It just seems like everything I read about LDAP lists all these 
> varied and different applications it can be used for, but all the 
> examples I'm reading are for simple phonebook type directories.
> 
> Thanks a bunch,
> -chris
> 
>

References:
- Using LDAP for Auth & Access Control?
  - From: starling@westel.net (Chris Starling)

Prev by Date: web2ldap.py 0.5.3: WWW gateway for accessing LDAP servers
Next by Date: Re: A person in multiple ou's.
Index(es):
- Chronological
- Thread