Role-based security implementation in LDAP
Solution 1
Users: inetOrgPerson
Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.
Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.
Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.
As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)
OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.
There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.
Solution 2
One more option: check out attribute-based access control (abac). ABAC is an evolution of RBAC. It uses attributes (which are labels about the user, the resource, the context) and policies to determine what is allowed and what isn't.
Example: A user with the role==manager in the department==sales can do the action==edit on a document of type==purchase order if the PO's amount<=the user's approval limit.
You can read more on ABAC at the NIST website.
user1031054
Updated on June 16, 2022Comments
-
user1031054 almost 2 years
I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:
- Users
- Corporate groups of users - HR, Finance etc.
- Permissions - DOCUMENT_READ, DOCUMENT_MODIFY etc.
- Roles - ADMIN, GUEST etc.
Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.
I was thinking of representing them in LDAP as folows:
- Users - Person and uidObject classes with userPassword attribute.
- Groups of users - organizationalUnit class, under which the users are located.
- Roles - groupOfNames object class.
- Permissions - not sure about this one, perhaps also groupOfNames class.
The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?
Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.
-
user1031054 over 12 yearsThank you, I will try it. ou attribute is a good idea. In my scenario, a person can belong to more than one organizational unit, so I'm not sure which is better - have multiple ou attributes or perhaps make groups groupOfNames as well.
-
Peter over 8 years@EJP Can I please ask you to elaborate on your comment with respect to Roles. What exactly was the mistake with using groupOfUniqueNames and how did you use the organizationalRoles recursively? Do you mean heirachically which I'm thinking would mean that an individual role can't be used in multiple groups?
-
user207421 over 8 years@PeterCarpenter I mean recursively. A role can be a roleOccupant of another role. I don't understand your last sentence.
-
Peter over 8 years@EJP By heirachically I meant by making it a child node - But you have answered my question. Thanks!
