Authorizing users to applications via LDAP is often done by creating groups
(groupOfNames
objects) which hold the distinguished names of the entries
authorized to use a specific application.
I prefer having a special multivalued string attribute type in the user’s LDAP
entry which stores names of applications a user is authorized to use. Our
OpenLDAP directory servers have an attribute type appropriately named
service in the DIT which is provisioned by the security guys when a user is
granted access to a specific application or service. For example, our
Squid proxy servers are configured to search for a user by and_ing in
the filter (service=internet)
when authenticating. Users who have
SpamAssassin enabled have a _service of sa
, and so on, and so forth.
It is of course easy to find all users who have a specific service:
ldapsearch '(&(objectclass=person)(service=ftp))'
finds all people who have
an FTP account.
I’ve yet to find an application which I couldn’t adapt to this method. And what is of course great, is that when a person’s entry is deleted (upon termination of employment for example), all authorizations for that person are simultaneously deleted.
This may not be the best way to handle authorizations, but when I started with LDAP back in the days of the University of Michigan code, that was all I could come up with, and it works very well for us.