[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication per service

Linux Corporativo writes:
> My question is: How to give permission to A user to MAIL only, B user
> to MAIL and PROXY and D user to PROXY only, since my users/password
> base is unique ?

First the service needs to authenticate the user: Normally Bind as the
user - maybe with Kerberos if you use that, otherwise with DN and
password which you ask the user first.  Or ask for username instead of
DN, and construct or search for the DN with that username before

Then, to authorize users for the services:

For each service, maintain a group whose membes can use the service.
The service can use the LDAP Compare operation to check if the group
contains the user as a member.  Typically object class groupOfNames with
the users' DNs listed in the 'member' attribute.

If that scales poorly (you'd get 10000 members per group which each
Compare must walk through), maybe you can denote access to the service
in the user objects instead: In each user object, include an attribute
which lists which services the user can use.  Or the groups which denote
these services, or whatever.  Then the service checks if the user's
object names the service or group which gives access to the service.

In this case, access controls must prevent users from modifying these
attributes in their own entries, and create new user entries (with
password and membership attribute).  Otherwise they can grant themselves
access to a service.