Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

LDAP authorization

Tags:

authentication

roles

authorization

ldap

security-roles

I'm starting to implement authorization and authentication mechanism using LDAP, for some existing system. On the development stage, I'm facing a difficult design decision: where should user roles be stored?

If I used RDBMS, it looks like there will be three tables: user, role and user_role to map roles and users.

Please suggest available solutions. I think about storing the user roles in DB and users in LDAP, but not sure if that is the best solutions. I use JBoss as my application server.

like image 228
Tioma Avatar asked Jun 05 '11 21:06

Tioma

1 Answers

On the architectural point of view, you've got multiples solutions. Here is a solution that keeps all your data into a Directory.

In your Directory you can code your 'Roles' with objects from a class with the meaning of "group" like groupOfNames or group (depending on you Directory). Users Distinguisched Names (DN) will them be coded in a multivalued attribute of these objects (generally member). The 'Role' object DN can be, in return, coded in a multivalued attribute of the user object (Ex : memberof)

In the case your Directory support referential integrity, it can act as a system Directory. Then member and memberOf attributes can be managed by the Directory itself. This mean that if you move a user from an Organizational Unit to an other one, the Directory is going refresh the member attribute of the 'Role' objects the user belongs to.

In the other case (no referencial integrity) your application has to manage the attribute integrity.

It's short but I hope it help.

Edited

Thirst off all I recomend you Apache Directory Studio , that is (for me) one of the best LDAP Browser. tHis tool will allow you to see your Directory and to learn LDAP more freindly. Using this tool I show you the way ADAM (Active Directory Application Mode) the free Directory of Microsoft code the 'Roles'

In the first picture you can see AdminAdam as a member of the administrators group :

AdminAdam as a member of the administrators group

In this second picture, you can see the presence of the group in the attribute memberof of the user adminAdam.

the attribute memberof of the user adminAdam

ADAM is suporting referencial Integrity.

like image 186
JPBlanc Avatar answered Oct 25 '22 06:10

JPBlanc
Sign in to Comment

Related questions

authentication sessionid vs cookie
How to programmatically(python) authenticate username/password using OS users
Disable Login Prompts in mod_auth_sspi_1.0.4-2.2.2
Smart Card Authentication with ASP.NET
How do I authenticate a user in a Node app with Django authentication?
Configuring Shiro to allow anonymous access to resource folders (JS, CSS etc)
AngularJS using RESTful web service authentication
Window authentication not working in MVC4
Simplest way to add Basic authentication to web.config with user/pass
docker-compose create mongo container with username and password
How to customize the Mac OSX login?
Tunneling mongodb using ngrok
AWS amplify auth How to remove redirect uri
AllowAnonymous is not ignored in ASP.NET Core custom AuthenticationHandler after migrating from .NET Core 2.2 to 3.1
php user authentication libraries / frameworks ... what are the options? [closed]
OpenID for Google App Engine
Getting "401 Unauthorized" error consistently with jquery call to webmethod
What are the model, lft, and rght fields used in the acos table?
PHP curl - posting asp.net viewstate value
Best authentication method to grant API access to Rails app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!