I have been looking into openLDAP for a couple of weeks now. I'm working on a school project which requires me to implement user authentication, single sign-on (SSO) across, but not limited to, a couple of web applications, and user authorization down to object level, giving different access level to users based on their roles. eg admin, user, etc. I'm sure I can do this using openLDAP and JAVA (JNDI or Netscape Java api). Since this requires me to extend the schema, I have the following questions regarding the same:
1. I was wondering if there already exists a schema that defines users with different roles? I'd rather use an existing schema that (almost) does my job than to "reinvent the wheel". Also, I'm curious to know if anybody has already done this and is willing to share some ideas with me or would like to point me to a good direction.
2. I have a question which is similar to one of the _many_ interesting questions asked by Kevin J. McCarthy regarding ACLs
<snippet from Kevin's Mail>
Problem 1: Access control (ACL) is outside the DIT
Why is this a problem?
1. Access controls can not be replicated
2. Access controls can not be made on-the-fly
3. Changes in access controls require restart of slapd, killing all connections
4. Access to access lists is not configurable (needs write perms to access.conf)
</snippet from Kevin's Mail>
his original post could be accessed from the following links
any help would be greatly appreciated
-- Ankur --