[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentification for multiple applications.



On Tue, 6 Jan 2004, Alejandro Leyva Rabinovich wrote:

> 
> Hi all, we are developing some applications based on ldap, but we dont 
> know how to give different access to different applications with ldap, 
> here is the problem:
> 
> we have two applications, appA and appB, an user is autorized to use appA 
> but not appB, how could i get it into ldap?
> 
> whats the best way to do that?

If you are truly interested in controlling authorization (as
opposed to authentication), one common way is to assign one or more
special attributes to each user's LDAP entry that indicate which
applications that user is allowed to use, then modify the applications
to accept/reject users based on the values (or presence) of those
attributes.

Another common way is to create a group for each app by adding LDAP
entries with the groupOfNames or groupOfUniqueNames objectclass,
populate those groups with the dn's of the authorized users, then
have the application check for a the presence of a user's dn in the
appropriate group.

Another (I'm sure less common) way would be to arrange your DIT so that
user entries are assigned to separate branches that are each intended for
a specific application. UserA is allowed to use both appA and appB, so
you stick an entry for her in the appA branch and the appB branch. Someone
else may only have an entry in the appB branch. And so on.

There are other ways. Each of these has drawbacks and benefits. No one
method is best (or even suitable) for every situation. Think carefully
about what you want to accomplish and under what circumstances, *then*
read read read about LDAP and try things out.

> 
> i think that its obvious, but, im a newbie in perl and ldap.
> 
> Thanks.
> 
> 

-- 
Kirk Turner-Rustin
Information Systems
Ohio Wesleyan University
http://www.owu.edu
ktrustin@owu.edu