Authorizing users to applications via LDAP is often done by creating groups (groupOfNames objects) which hold the distinguished names of the entries authorized to use a specific application.

I prefer having a special multivalued string attribute type in the user’s LDAP entry which stores names of applications a user is authorized to use. Our OpenLDAP directory servers have an attribute type appropriately named service in the DIT which is provisioned by the security guys when a user is granted access to a specific application or service. For example, our Squid proxy servers are configured to search for a user by and_ing in the filter (service=internet) when authenticating. Users who have SpamAssassin enabled have a _service of sa, and so on, and so forth.

It is of course easy to find all users who have a specific service: ldapsearch '(&(objectclass=person)(service=ftp))' finds all people who have an FTP account.

I’ve yet to find an application which I couldn’t adapt to this method. And what is of course great, is that when a person’s entry is deleted (upon termination of employment for example), all authorizations for that person are simultaneously deleted.

This may not be the best way to handle authorizations, but when I started with LDAP back in the days of the University of Michigan code, that was all I could come up with, and it works very well for us.

LDAP and Apache :: 06 Feb 2006 :: e-mail