I'm starting to implement authorization and authentication mechanism using LDAP, for some existing system. On the development stage, I'm facing a difficult design decision: where should user roles be stored?
If I used RDBMS, it looks like there will be three tables: user, role and user_role to map roles and users.
Please suggest available solutions. I think about storing the user roles in DB and users in LDAP, but not sure if that is the best solutions. I use JBoss as my application server.
On the architectural point of view, you've got multiples solutions. Here is a solution that keeps all your data into a Directory.
In your Directory you can code your 'Roles' with objects from a class with the meaning of "group" like groupOfNames
or group
(depending on you Directory). Users Distinguisched Names (DN) will them be coded in a multivalued attribute of these objects (generally member
). The 'Role' object DN can be, in return, coded in a multivalued attribute of the user object (Ex : memberof
)
In the case your Directory support referential integrity, it can act as a system Directory. Then member
and memberOf
attributes can be managed by the Directory itself. This mean that if you move a user from an Organizational Unit to an other one, the Directory is going refresh the member
attribute of the 'Role' objects the user belongs to.
In the other case (no referencial integrity) your application has to manage the attribute integrity.
It's short but I hope it help.
Edited
Thirst off all I recomend you Apache Directory Studio , that is (for me) one of the best LDAP Browser. tHis tool will allow you to see your Directory and to learn LDAP more freindly. Using this tool I show you the way ADAM (Active Directory Application Mode) the free Directory of Microsoft code the 'Roles'
In the first picture you can see AdminAdam as a member of the administrators group :
In this second picture, you can see the presence of the group in the attribute memberof of the user adminAdam.
ADAM is suporting referencial Integrity.