1

I am new to LDAP. I have to implement a User and role management with Open LDAP in java. Currently i am using open LDAP 2.4. I am planning to map the following required entities to LDAP objects like:

User: Different users identified by user id/ password. I am mapping it with inetOrgPerson object of LDAP.

Group: it will be group of users. I am mapping it with organzationalUnit in ldap.

Role: roles could be group of permissions. I am mapping this with groupOfNames object. I have tried with organizationalRole, but didn't find any way to link groups and users. Is there any way?

Permission: permissions like 'READ', 'WRITE' etc. To which object I should map this so that I can include different permission to a Role and then associate role to groups and users?

So, I am highly confused about permissions and Roles, how would this could be mapped in LDAP. Also, What should be the ldif file format for these two, Roles and permissions. As much as possible, I want to keep everything in LDAP for user management rather than RDBM.

user207421
  • 305,947
  • 44
  • 307
  • 483
Smita
  • 21
  • 3

1 Answers1

1

User: Different users identified by user id/ password. I am mapping it with inetOrgPerson object of LDAP.

Good choice.

Group: it will be group of users. I am mapping it with organzationalUnit in LDAP.

OK, but you should also look at groupOfUniqueNames.

Role: roles could be group of permissions.

No. A role is a role. What permissions the role has is a completely separate issue, and not one that necessarily belongs in LDAP at all.

I am mapping this with groupOfNames object. I have tried with organizationalRole, but didn't find any way to link groups and users.

organizationalRole has roleOccupant, that's what you need.

Permission: permissions like 'READ', 'WRITE' etc. To which object I should map this so that I can include different permission to a Role and then associate role to groups and users?

See above. I'm not convinced this belongs in LDAP at all, at least I've never found a way to map it. I do that via the security features of web.xml.

Also, What should be the ldif file format for these two, Roles and permissions.

The LDIF format falls directly out of the objectClass you use. The mapping is simple.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thanks you for reply. If I add comma separated multiple permissions in some attribute value in Role(OrganizationalRole) object, will that be ok as per design perspective? Can I retrieve those in java for checking user/group permissions? – Smita Apr 16 '15 at 11:38