RE: Group authentication

[mark@mjwilcox.com]

On 1 Nov 00, at 10:39, Mark Gillies wrote:

> Hi Alex,
> > 
> > I recently heard about group authentication using LDAP server.
> > I am not quite sure what this means. Does it mean that the 
> > LDAP server will have a group which contains a list of 
> > members and while authenticating, we'll first check whether 
> > the user belongs to a particular group and then authenticate 

These steps are backwards. Checking groups is part of the 
authorization step, which should occur after the authentication 
step. Why would you want to check to see if Mark Wilcox is a 
member of a group, if you didn't even know if it was Mark Wilcox 
who was accessing the system?


> 
> 
If you're using groups to manage LDAP security (meaning security 
of data in the LDAP server), then it will check groups for you.

If you're using groups to manage application security, then you 
need to check the group.

Mark
> The LDAP server itself doesn't actually check if a person belongs to a group
> (as far as I know) but the client application 
> needs to do this search itself. Many clients (such as Netscape Webserver)
> have this built in. Others have built in hooks
> for adding your own authentication and authorisation. I saw some perl
> scripts that do this posted on openldap 
> somewhere(called ismember.pl ?).
> I also have some of mine but they are made for our schema. Mail me if they
> would be helpful.
> 
> The steps for checking if somebody is a member of a group happens this way:
> 1. Authentication - try to bind as the person using the dn and password. If
> the password is correct then the bind will 
> be successful.
> 2. Authorisation - see whether the person is in the authorised group - bind
> as someone that can search/compare the
> group objects and search/compare for the required group with a
> member/uniqueMember attribute with a value of the dn 
> of your user.
> 
> Hope this is helpful.
> 
> Mark Gillies. 
> 
> 


Mark Wilcox
mark@mjwilcox.com
Got LDAP?