[Date Prev][Date Next]
using ldap to control access to other services
- To: email@example.com
- Subject: using ldap to control access to other services
- From: William Cai <firstname.lastname@example.org>
- Date: Wed, 4 Aug 2010 18:12:26 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=1wsZn3xvYPCoAy6vpuejL2kDGNU8bSoXErtWNX/IczU=; b=jS/6nSSdq5ZOVkuxcgLoOLlfXUPhzIMutiMWEY7RHj3POdUKUxoE04w3jML0g8IjS2 avZ4zbjQ3Do3zcqUAFakHiF/QWI8h8qF6RPQgrux9U4h2a4SkG07W26seMcrnh/k85jj 8sz8t/De8PfbtC8ByHELH9XU25uxxAioVZsF4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=VD1goAp/gKer5J+W+qs4d3QlQ1rzXqh81kecWQY7Hy9RH3u4U8h94O/N3NBW+iS3Iw pYjNDFAyQW0gQdN8Gas6Tx6Qcm4inMXCnDW8woG/8prAPLj/H1hHiaF6pjrWZ/RRx3vt j2ZNjCcBDzpEGvYqhjMmwDppcEXdvcEvyrDQ8=
I have been using LDAP for some time. The LDAP server is mainly used to store user information. Today I heard that LDAP can be used to control access to other services. More specific, "The way it works is
that your (or any other) app calls LDAP with like "I am user A, here is
my ticket, so what I can do?" and then LDAP responds: "User A has a type
X and can access B, C and D function, but can not access X, Y and Z
function". So your app realizes that "Type X can access today and
tomorrow, but not day after tomorrow" etc." I went through OpenLDAP document http://www.openldap.org/doc/admin24/access-control.html. But seems it focuses on how to control the access to LDAP server itself. Could anybody show me how to implement this?
1. Do I need to model the business environment in LDAP? e.g. create a node for each function point.
2. What is the programming model? Can I use Java interface to retrieve these permission information?
3. Is it OpenLDAP specific function or LDAP common function?