[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Using LDAP to describe permissions
>From what I understand, Microsoft's Active Directory is really an LDAP
solution combined with Kerberos. I'm interested in building a similar
system for PHP applications for a corporate intranet.
However, I'm not sure how to use LDAP to describe complex permissions
schemes. I would like to have as fine-grained control as Active
Directory has: every object (file, directory) can be specified to have
read/write/delete/admin/etc permission to any set of groups or single
users.
It makes sense for me to use LDAP as a phone book, but I'm not sure how
to describe permissions; it doesn't seem intuitive to put it in a tree
structure.
How does Active Directory do it? How should I do it? I could use LDAP to
store all the account information and put the permissions in a MySQL
database.
Kent Wang
IC2 Institute
University of Texas