LDAP Simple Single Sign-On Architecture with Permissions

[Flavio Alves <flavio-l-alves@ptinovacao.pt>]

Hi.

I'm new to LDAP. I guess that you hate this kind of question, but I have
several doubts and I need some advices ...
I need to build a single sign-on server for authenticating users from some
applications (our applications)
For each application, there must be a group of permissions which can inherit
the permissions from another group. The permissions may differ from group to
group, because its value depends on the application information domain.
There must be a list of users and each user can have a group of permissions
to a application.

I has thinking of something like:

# This authentication tree is organized in the following way:
# + - example.com
# + --- Users
# + ----- US
# + ------- User Id 1 (the attribute permission gets the values "Per.. Group
1.2")
# + ------- User Id 2 (the attribute permission gets the values "Per.. Group
2.2")
# + ----- Canada
# + ------- User Id 3 (the attribute permission gets the values "Per.. Group
1.1" and "Per.. Group 2.1")
# + ------- User Id 4 (the attribute permission gets the values "Per.. Group
1.1")
# + --- Applications
# + ----- Aplication 1
# + ------- Permission Group 1.1 
# + ------- Permission Group 1.2 (attribute extends gets the value "Per..
Group 1.1")
# + ----- Application 2
# + ------- Permission Group 2.1
# + ------- Permission Group 2.2

Obs: In the model above, I'm not thinking of userPassword, or order ordinary
attributes from orgInetPerson

However, according to this tree, I don't know for instance what kind of
objectClass will be the "Applications","Users" or "Permission Group X.Y"
I don't know if a better solution might be the creation of new
objectClasses?

I wonder if someone could help me with a better solution or even how to
improve the solution i've purposed.

Sorry for the bothering question.

Regards,
Flavio Alves