[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using LDAP for Auth & Access Control?
Hi,
I don't know of anything definite on-line, but this topic is covered
both in my book, "Implementing LDAP" and "Understanding and
Deploying LDAP Directory Services" by Tim Howes, et al.
I do have a brief article on the subject at
http://developer.iplanet.com/viewsource/ (I think we titled the article
"Straight Talk on Security", I write the LDAP Heavyweight collumn
for Netscape ViewSource).
Also I would suggest poking around in the LDAP modules for
Apache with mod_perl.
I'm also be talking about this at ApacheCon 2000 (presentation
should be online when the conference rolls around in March).
Typically what people do when using LDAP for something like this
is to use LDAP for authentication (which is easy/trivial to do).
The hard part is management of authorization information.
Authentication simply tells you that a particular set of credentials
provided by a client matched the same credentials in your LDAP
server (which is what happens in any authentication system). You
assume that since these credentials should only be able to be
provided by a particular person, then the application is
"authenticated" as that user.
Authorization means what can that user do now that they have
authenticated.
You could authorize access based on group membership, where
the user's entry lies in the DIT, time of day, gender, an attribute in
their entry or a number of different routes.
So to be honest what you probably want to do is to use an existing
authentication service such as Kerberos (which already provides a
standardized means of providing authorization services) and use a
directory service to feed the user & application data to Kerberos.
just my thoughts.
Mark
On 30 Nov 99, at 18:03, Chris Starling wrote:
>
> I'm needing to develop a fairly flexible authentication and access
> control scheme for a client/server type of application. I began my
> research for a solution being inspired by Netware's NDS, having
> had a very minor amount of experience with it. I mentioned this to
> a friend who said I should look into LDAP for storing user access
> information and I realized the World of Directory Services.
>
> Now, I'm struggling trying to assimilate all this LDAP information
> I'm reading online into my RDBMS-oriented brain. And I'm
> wondering:
>
> Is there a good example or case study available online that
> illustrates the use of LDAP for a authentication & access control
> implementation?
>
>
> I'm reading the mailing list archives and searching the web, but I
> have yet to find a good example that will really help me understand
> how to adapt LDAP's objects for this application. If there's a book
> with this information in it, I'd be interested to hear about it as well.
>
> It just seems like everything I read about LDAP lists all these
> varied and different applications it can be used for, but all the
> examples I'm reading are for simple phonebook type directories.
>
> Thanks a bunch,
> -chris
>
>