Re: Authentication by group

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Mauricio Paulo de Sousa writes:
> The problem I have to resolve is to see if is possible authenticate
> the users by groups...

I'm not sure what you mean, but hopefully you'll find an answer
somewhere below:-)

Authentication is just to prove your identity - e.g. Bind with username
and password, then the server verifies your password.  This rarely has
anything to do with groups, though you could divide users in different
LDAP subtrees or whatever.

If you mean to check if the user belongs to a particular group, then you
can e.g. have a group object in LDAP which lists all its members, and
the client which wants to check group membership can use the LDAP
Compare operation to check if the user's DN or username is listed in the
member attribute.  Likely after first authenticating the user.

Alternatively you can list all the groups the user is a member of, in
the user's object.  In that case take care that the user does not have
write access to his group attribute, otherwise he can give himself
membership in any group.


If what you want is to give access to objects in the LDAP directory
based on group membership, you can do that with access controls (see man
slapd.access).

> and make users belong from more than one group,mut, by priorities... I
> dont know if this is possible.
> can anybody said me if its is possible??

Users can belong to several groups, by listing the same user in the
member attributes of those groups.  However most LDAP data is unordered,
so you may have to implement priorities yourself.  You could have an
attribute in each user's object which simply contains an ordered
comma-separated(or something) list of his groups.  Or you could define
a group attribute with the X-ORDERED extension, which allows you to
keep a multi-valued attribute sorted.

-- 
Hallvard