Find the answer to your Linux question:
Results 1 to 7 of 7
Hello, I'm new to LDAP so I need some help with best practices. We have LDAP set up to support single sign on for our internet applications we are developing ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4

    Application Permissions with LDAP


    Hello, I'm new to LDAP so I need some help with best practices. We have LDAP set up to support single sign on for our internet applications we are developing at work. What we want to do is set up user permissions so that certain people can only see certain things in each application. What is the best way of doing this in LDAP? Is there a way to set up groups or something like that?

    Thanks!

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    yes you can setup groups in ldap, and you can also setup OU's. that way you can tell your app that ou=fakedepartment,dc=yourdomain,dc=com is the base dn that it can search, then it won't see anything else.

  3. #3
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    Do you know of any good tutorials on groups online? I haven't been able to find much. Or could you explain how to use them?

    We are using ou's right now for each application, but the boss doesn't think this is the right way to do it, so I've been trying to figure out how groups work, or if there is a best practice sort of 'rule' that is used for this sort of thing

  4. #4
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    as far as how you are using it, using OU's should work just fine. your application should be able to set a basedn, as long as it is down to the OU it can't see anything above it. but if OU's exist as sub OU's then your app will have access to it

    that being said, how to configure groups will depend on your ldap server and the tools you use to manage it.

    but consider this setup
    my.domain.com
    --OU1
    --OU2
    ------SUBOU1
    ------SUBOU2

    If you set your basedn to my.domain.com everything is available to your app. if you set it to OU2 then everything beneath that (subou1 and subou2) will be available to your app. if you set it to OU1 then OU1 is only available.

  5. #5
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    This is kind of the way we have it now:

    my.domain.com
    -ou=people
    --Joe Smith
    ---cn=Joe
    ---sn=Smith
    ---ou=app1
    ---ou=app2b

    So we just check to see if they have each ou, so this means Joe has access to app1 and read only access to app2. But that doesn't seem like the right way to do it.

  6. #6
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    we have something like this

    my.domain.com
    OU -departments
    ----CN -IT
    --------------user1
    --------------user2
    --------------user3
    --------------user4
    ----CN -Marketing
    --------------user5
    --------------user6
    --------------user7
    OU-Security Groups
    -----specialgroup1
    -----specialgroup2

    and then we make the users members of whatever groups. you can then require group membership depending on how your app is setup. are you using AD, openLdap,.....

  7. #7
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    The problem with that is the users aren't really seperated by department. Who can use what app is kind of a person to person basis which is why we probably need to store the information inside the users. We are using openLdap 2.3.something

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •