[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using LDAP to describe permissions



>From what I understand, Microsoft's Active Directory is really an LDAP
solution combined with Kerberos. I'm interested in building a similar
system for PHP applications for a corporate intranet.

However, I'm not sure how to use LDAP to describe complex permissions
schemes. I would like to have as fine-grained control as Active
Directory has: every object (file, directory) can be specified to have
read/write/delete/admin/etc permission to any set of groups or single
users.

It makes sense for me to use LDAP as a phone book, but I'm not sure how
to describe permissions; it doesn't seem intuitive to put it in a tree
structure.

How does Active Directory do it? How should I do it? I could use LDAP to
store all the account information and put the permissions in a MySQL
database.

Kent Wang
IC2 Institute
University of Texas