[Date Prev][Date Next]
Re: using ldap to control access to other services
William Cai wrote:
I have been using LDAP for some time. The LDAP server is mainly used to
store user information. Today I heard that LDAP can be used to control
access to other services. More specific, "The way it works is that your
(or any other) app calls LDAP with like "I am user A, here is my ticket,
so what I can do?" and then LDAP responds: "User A has a type X and can
access B, C and D function, but can not access X, Y and Z function". So
your app realizes that "Type X can access today and tomorrow, but not
day after tomorrow" etc." [...]
1. Do I need to model the business environment in LDAP? e.g. create a
node for each function point.
I'm not sure what you're asking here...
2. What is the programming model? Can I use Java interface to retrieve
these permission information?
Absolutely. Java, PHP, perl, pretty much anything with an LDAP API
can query LDAP to see if a given user can access some service.
3. Is it OpenLDAP specific function or LDAP common function?
It's common to any LDAP server.
Here's an example. Apache can be configured to do LDAP
authentication and also to require that the authenticated user be a
member of a groupOfUniqueMembers object (for instance). Then when a
user visits the protected web path, Apache prompts for a username and
password. It then searches LDAP for that user and if it finds a record
it authenticates against that record using the given password. It
optionally will also check if the found record/user is a member of a
For instance, I've got a webserver that restricts access to the
http://servername/dcsi/ path. Here's a snippet of my Apache config:
Alias /dcsi "/db/dcsi"
AuthName "Login: enter your username"
Require ldap-group cn=DCSi,ou=Application-ACLs,ou=Groups,dc=sgi,dc=com
[... other Apache config stuff ...]
So, in the above snippet, you can see that the bit of protected
content is in /db/dcsi, and we're going to use OpenLDAP to protect it.
Apache also will authenticate itself to OpenLDAP first. We tell Apache
to require a valid user and to require the authenticated user to be a
member of a valid group (the cn=DCSi,ou=Application-ACLs,... record).
And the AuthLDAPUrl setting lets us tell Apache how to find the record
to authenticate against given a username (we search by the uid attribute
in our case).
This is just one application - Apache. But any application that
wants to do authentication/authorization using LDAP can be written to do
the same thing. Say I had a perl application that prompted for a
username and password before doing some task. It could be written to
bind to OpenLDAP, search for the given username, try to authenticate,
and then search for a groupOfUniqueMembers object containing a
uniqueMember attribute that contained the DN of the found user record it
authenticated successfully with.
'Hope this helps...