Re: Authentification for multiple applications.

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, January 06, 2004 4:53 PM -0500 "Kirk A. Turner-Rustin" 
<ktrustin@owu.edu> wrote:

> On Tue, 6 Jan 2004, Alejandro Leyva Rabinovich wrote:
>
> > Hi all, we are developing some applications based on ldap, but we dont
> > know how to give different access to different applications with ldap,
> > here is the problem:
> >
> > we have two applications, appA and appB, an user is autorized to use
> > appA  but not appB, how could i get it into ldap?
> >
> > whats the best way to do that?
>
> If you are truly interested in controlling authorization (as
> opposed to authentication), one common way is to assign one or more
> special attributes to each user's LDAP entry that indicate which
> applications that user is allowed to use, then modify the applications
> to accept/reject users based on the values (or presence) of those
> attributes.
>
> Another common way is to create a group for each app by adding LDAP
> entries with the groupOfNames or groupOfUniqueNames objectclass,
> populate those groups with the dn's of the authorized users, then
> have the application check for a the presence of a user's dn in the
> appropriate group.

With 2.2.4, you can also now create dynamic groups, which will determine if 
a user belongs to a group by the existence of attributes in their entry, 
which is essentially a combination of both these steps.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html