On Tue, 6 Jan 2004, Alejandro Leyva Rabinovich wrote:
Hi all, we are developing some applications based on ldap, but we dont
know how to give different access to different applications with ldap,
here is the problem:
we have two applications, appA and appB, an user is autorized to use
appA but not appB, how could i get it into ldap?
whats the best way to do that?
If you are truly interested in controlling authorization (as
opposed to authentication), one common way is to assign one or more
special attributes to each user's LDAP entry that indicate which
applications that user is allowed to use, then modify the applications
to accept/reject users based on the values (or presence) of those
attributes.
Another common way is to create a group for each app by adding LDAP
entries with the groupOfNames or groupOfUniqueNames objectclass,
populate those groups with the dn's of the authorized users, then
have the application check for a the presence of a user's dn in the
appropriate group.