[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using ldap to control access to other services

William Cai wrote:
Hi List,

I have been using LDAP for some time. The LDAP server is mainly used to store user information. Today I heard that LDAP can be used to control access to other services. More specific, "The way it works is that your (or any other) app calls LDAP with like "I am user A, here is my ticket, so what I can do?" and then LDAP responds: "User A has a type X and can access B, C and D function, but can not access X, Y and Z function". So your app realizes that "Type X can access today and tomorrow, but not day after tomorrow" etc." [...]

1. Do I need to model the business environment in LDAP? e.g. create a node for each function point.

   I'm not sure what you're asking here...

2. What is the programming model? Can I use Java interface to retrieve these permission information?

Absolutely. Java, PHP, perl, pretty much anything with an LDAP API can query LDAP to see if a given user can access some service.

3. Is it OpenLDAP specific function or LDAP common function?

   It's common to any LDAP server.

Here's an example. Apache can be configured to do LDAP authentication and also to require that the authenticated user be a member of a groupOfUniqueMembers object (for instance). Then when a user visits the protected web path, Apache prompts for a username and password. It then searches LDAP for that user and if it finds a record it authenticates against that record using the given password. It optionally will also check if the found record/user is a member of a specified group.

For instance, I've got a webserver that restricts access to the http://servername/dcsi/ path. Here's a snippet of my Apache config:
Alias /dcsi "/db/dcsi"
<Directory "/db/dcsi">
  <IfModule mod_authnz_ldap.c>
   AuthType Basic
   AuthName "Login: enter your username"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN cn=my-app-name,ou=Applications,dc=sgi,dc=com
   AuthLDAPBindPassword mypassword-for-this-application
   Require valid-user
   Require ldap-group cn=DCSi,ou=Application-ACLs,ou=Groups,dc=sgi,dc=com
AuthLDAPUrl ldap://my-ldap-server:389/ou=Employees,ou=People,dc=sgi,dc=com?uid

[... other Apache config stuff ...]

So, in the above snippet, you can see that the bit of protected content is in /db/dcsi, and we're going to use OpenLDAP to protect it. Apache also will authenticate itself to OpenLDAP first. We tell Apache to require a valid user and to require the authenticated user to be a member of a valid group (the cn=DCSi,ou=Application-ACLs,... record). And the AuthLDAPUrl setting lets us tell Apache how to find the record to authenticate against given a username (we search by the uid attribute in our case).

This is just one application - Apache. But any application that wants to do authentication/authorization using LDAP can be written to do the same thing. Say I had a perl application that prompted for a username and password before doing some task. It could be written to bind to OpenLDAP, search for the given username, try to authenticate, and then search for a groupOfUniqueMembers object containing a uniqueMember attribute that contained the DN of the found user record it authenticated successfully with.

   'Hope this helps...