[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Confused about LDAP in general

>Where I get really hung up is on authorization.  I understand 
>groupOfNames and I've actually seen it used in LDAP schemas.  
>But seems like every LDAP server has done it's own tweaking 
>here and there so things are slightly different between the 
>various implementations. 

Perhaps the reason for this is that ldap is not an authorization
service. It is a directory service. Think about where ldap works best:
very quick, read-only requests. Not business processing.

>I'm confused as to how I -- as a developer -- would develop an 
>application that uses an existing LDAP implementation for 
>authenticating whether a given user has the right to perform a 
>given task.

If all you require are simple tests for users in certain groups, or
whether or not they hold a particular account status, then the
implementation would be simple: define and populate the attribute for
your users, then permit access based on a string match. It becomes a
simple matter of testing "a" against "b" (i.e. does "membershipStatus"
equal "gold").

However, if you are looking to implement a non-trivial authorization
service, I would suggest moving the decision making outside of ldap. 

Any significantly complex application requires rules and parameters in
order to grant a user access to a resource. Time of day, account
balance, status of a transaction or workflow, relationship of one object
to another - these would be a few examples of rules. Some of the
information may naturally be stored in ldap, but others may require
quering other systems or disparate databases. But, together, all of it
will require further business logic. Logic that ldap cannot provide.

Hope this helps.