[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using LDAP to describe permissions

To: <openldap-software@OpenLDAP.org>
Subject: Using LDAP to describe permissions
From: "Kent Wang" <kwang@kwang.org>
Date: Sun, 9 Nov 2003 12:24:54 -0600
Importance: Normal
In-reply-to: <1068400548.3q9wikelawg0@www.ambigc.com>

>From what I understand, Microsoft's Active Directory is really an LDAP
solution combined with Kerberos. I'm interested in building a similar
system for PHP applications for a corporate intranet.

However, I'm not sure how to use LDAP to describe complex permissions
schemes. I would like to have as fine-grained control as Active
Directory has: every object (file, directory) can be specified to have
read/write/delete/admin/etc permission to any set of groups or single
users.

It makes sense for me to use LDAP as a phone book, but I'm not sure how
to describe permissions; it doesn't seem intuitive to put it in a tree
structure.

How does Active Directory do it? How should I do it? I could use LDAP to
store all the account information and put the permissions in a MySQL
database.

Kent Wang
IC2 Institute
University of Texas

Follow-Ups:
- RE: Using LDAP to describe permissions
  - From: "Howard Chu" <hyc@symas.com>

References:
- Searches failing weird
  - From: Chris Hamilton <chris@ambigc.com>

Prev by Date: Searches failing weird
Next by Date: Re: Searches failing weird
Index(es):
- Chronological
- Thread