Role-based security implementation in LDAP

user1031054 picture user1031054 · Nov 5, 2011 · Viewed 11.9k times · Source

I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

  • Users
  • Corporate groups of users - HR, Finance etc.
  • Permissions - DOCUMENT_READ, DOCUMENT_MODIFY etc.
  • Roles - ADMIN, GUEST etc.

Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.

I was thinking of representing them in LDAP as folows:

  • Users - Person and uidObject classes with userPassword attribute.
  • Groups of users - organizationalUnit class, under which the users are located.
  • Roles - groupOfNames object class.
  • Permissions - not sure about this one, perhaps also groupOfNames class.

The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?

Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.

Answer

user207421 picture user207421 · Nov 6, 2011

Users: inetOrgPerson

Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)

OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.