Application Permissions with LDAP

[jjjaroscak]

Hello, I'm new to LDAP so I need some help with best practices. We have LDAP set up to support single sign on for our internet applications we are developing at work. What we want to do is set up user permissions so that certain people can only see certain things in each application. What is the best way of doing this in LDAP? Is there a way to set up groups or something like that?

Thanks!

[jledhead]

yes you can setup groups in ldap, and you can also setup OU's. that way you can tell your app that ou=fakedepartment,dc=yourdomain,dc=com is the base dn that it can search, then it won't see anything else.

[jjjaroscak]

Do you know of any good tutorials on groups online? I haven't been able to find much. Or could you explain how to use them?

We are using ou's right now for each application, but the boss doesn't think this is the right way to do it, so I've been trying to figure out how groups work, or if there is a best practice sort of 'rule' that is used for this sort of thing

[jledhead]

as far as how you are using it, using OU's should work just fine. your application should be able to set a basedn, as long as it is down to the OU it can't see anything above it. but if OU's exist as sub OU's then your app will have access to it

that being said, how to configure groups will depend on your ldap server and the tools you use to manage it.

but consider this setup
my.domain.com
--OU1
--OU2
------SUBOU1
------SUBOU2

If you set your basedn to my.domain.com everything is available to your app. if you set it to OU2 then everything beneath that (subou1 and subou2) will be available to your app. if you set it to OU1 then OU1 is only available.

[jjjaroscak]

This is kind of the way we have it now:

my.domain.com
-ou=people
--Joe Smith
---cn=Joe
---sn=Smith
---ou=app1
---ou=app2b

So we just check to see if they have each ou, so this means Joe has access to app1 and read only access to app2. But that doesn't seem like the right way to do it.

[jledhead]

we have something like this

my.domain.com
OU -departments
----CN -IT
--------------user1
--------------user2
--------------user3
--------------user4
----CN -Marketing
--------------user5
--------------user6
--------------user7
OU-Security Groups
-----specialgroup1
-----specialgroup2

and then we make the users members of whatever groups. you can then require group membership depending on how your app is setup. are you using AD, openLdap,.....

[jjjaroscak]

The problem with that is the users aren't really seperated by department. Who can use what app is kind of a person to person basis which is why we probably need to store the information inside the users. We are using openLdap 2.3.something