RE: Group authentication

[Mark Gillies <mg@amslux.lu>]

Hi Alex,
> 
> I recently heard about group authentication using LDAP server.
> I am not quite sure what this means. Does it mean that the 
> LDAP server will have a group which contains a list of 
> members and while authenticating, we'll first check whether 
> the user belongs to a particular group and then authenticate 


Two standard objects that you can add to your schema are groupOfMembers or
groupOfUniqueMembers (Netscape's addition).
These objects have a multivalued attribute named member and uniqueMember
respectively in which the value will be 
the distinguished names of "person" objects.  

> using his password OR does it mean that members of a 
> particular group all have a common password?
Groups do not have a common password. (Of course you can do anything you
want with your own schema)

The LDAP server itself doesn't actually check if a person belongs to a group
(as far as I know) but the client application 
needs to do this search itself. Many clients (such as Netscape Webserver)
have this built in. Others have built in hooks
for adding your own authentication and authorisation. I saw some perl
scripts that do this posted on openldap 
somewhere(called ismember.pl ?).
I also have some of mine but they are made for our schema. Mail me if they
would be helpful.

The steps for checking if somebody is a member of a group happens this way:
1. Authentication - try to bind as the person using the dn and password. If
the password is correct then the bind will 
be successful.
2. Authorisation - see whether the person is in the authorised group - bind
as someone that can search/compare the
group objects and search/compare for the required group with a
member/uniqueMember attribute with a value of the dn 
of your user.

Hope this is helpful.

Mark Gillies.