[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fine Grained Permission System

Thanks for your answer, it was what I was expecting from what I saw yesterday.

I saw LDAP ACL's but they are used only to restrict access to LDAP itself. I was really hoping that LDAP had some nice way to handle fine grained permission system. I think I'll still use LDAP for managing my users, but I'll probably create some scripts to handle the permissions for all my application in a centralized mode.


2010/10/4 Diego Lima <lists@diegolima.org>
Hi AdaXi,

While ldap is widely used as a means to achieve central
authentication, controlling access using LDAP is highly dependent on
the application you're using. The LDAP server itself does not care for
access controls or levels, and only stores information that will be
used by other applications. If the applications support using some
ldap attribute to restrict access or offer some sort of schema that
they'll use, then you can probably do that using only LDAP. LDAP
itself has Access Control Lists, but I don't think they'll do what you
are expecting, as they only control access to attributes held in the
server itself.

Otherwise you'll be stuck by managing the applications individually
using their own built-in configuration methods.

2010/10/4 AdaXi <adaxidownloads@gmail.com>:
> Hi everyone, I am kind of a newbie in OpenLDAP and LDAP in general, and I
> really need your help, I have been looking for a fine grained permission
> system to a project that I am in now, but could not find anything that
> satifies me.
> I have multiple applications that will authenticate using LDAP, but I also
> want to control user access in each application. I want to be able to allow
> specific acces to an element in one application.
> Examples :
> For database, I would like to assign read permissions to one or more
> database for one user.
> For a bulletin board, users can only post in some specifec boards.
> For a FTP server, users can only access specific directories.
> In first place is it realistic ?
> Do you know a way to do this only with LDAP ? (if yes, could you show me a
> manual or guide)
> Do you know some piece of software that could help me ?
> Thanks in advance,
> AdaXi

Diego Lima