Re: using ldap to control access to other services

[Brent Bice <bbice@sgi.com>]

William Cai wrote:
> Hi List,
>
> I have been using LDAP for some time. The LDAP server is mainly used to 
> store user information. Today I heard that LDAP can be used to control 
> access to other services. More specific, "The way it works is that your 
> (or any other) app calls LDAP with like "I am user A, here is my ticket, 
> so what I can do?" and then LDAP responds: "User A has a type X and can 
> access B, C and D function, but can not access X, Y and Z function". So 
> your app realizes that "Type X can access today and tomorrow, but not 
> day after tomorrow" etc." [...]
>
> 1. Do I need to model the business environment in LDAP? e.g. create a 
> node for each function point.

   I'm not sure what you're asking here...

> 2. What is the programming model? Can I use Java interface to retrieve 
> these permission information?

   Absolutely. Java, PHP, perl, pretty much anything with an LDAP API 
can query LDAP to see if a given user can access some service.

> 3. Is it OpenLDAP specific function or LDAP common function?

   It's common to any LDAP server.

   Here's an example.  Apache can be configured to do LDAP 
authentication and also to require that the authenticated user be a 
member of a groupOfUniqueMembers object (for instance).  Then when a 
user visits the protected web path, Apache prompts for a username and 
password.  It then searches LDAP for that user and if it finds a record 
it authenticates against that record using the given password. It 
optionally will also check if the found record/user is a member of a 
specified group.

   For instance, I've got a webserver that restricts access to the 
http://servername/dcsi/ path.  Here's a snippet of my Apache config:
Alias /dcsi "/db/dcsi"
<Directory "/db/dcsi">
  <IfModule mod_authnz_ldap.c>
   AuthType Basic
   AuthName "Login: enter your username"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN cn=my-app-name,ou=Applications,dc=sgi,dc=com
   AuthLDAPBindPassword mypassword-for-this-application
   Require valid-user
   Require ldap-group cn=DCSi,ou=Application-ACLs,ou=Groups,dc=sgi,dc=com
    AuthLDAPUrl 
ldap://my-ldap-server:389/ou=Employees,ou=People,dc=sgi,dc=com?uid
  </IfModule>

[... other Apache config stuff ...]
</Directory>

   So, in the above snippet, you can see that the bit of protected 
content is in /db/dcsi, and we're going to use OpenLDAP to protect it. 
Apache also will authenticate itself to OpenLDAP first. We tell Apache 
to require a valid user and to require the authenticated user to be a 
member of a valid group (the cn=DCSi,ou=Application-ACLs,... record). 
And the AuthLDAPUrl setting lets us tell Apache how to find the record 
to authenticate against given a username (we search by the uid attribute 
in our case).

   This is just one application - Apache.  But any application that 
wants to do authentication/authorization using LDAP can be written to do 
the same thing.  Say I had a perl application that prompted for a 
username and password before doing some task.  It could be written to 
bind to OpenLDAP, search for the given username, try to authenticate, 
and then search for a groupOfUniqueMembers object containing a 
uniqueMember attribute that contained the DN of the found user record it 
authenticated successfully with.

   'Hope this helps...

Brent