Role-based security implementation in LDAP

Question

I\'m working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

• Users
• Co

Answer 1

Users: inetOrgPerson

Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)

OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.

Answer 2

One more option: check out attribute-based access control (abac). ABAC is an evolution of RBAC. It uses attributes (which are labels about the user, the resource, the context) and policies to determine what is allowed and what isn't.

Example: A user with the role==manager in the department==sales can do the action==edit on a document of type==purchase order if the PO's amount<=the user's approval limit.

You can read more on ABAC at the NIST website.

Answer 3

Check out Fortress. It is ANSI RBAC INCITS 359 compliant and built on LDAP. The source code is open source and you can pull down pre-built binaries that include OpenLDAP from here: http://iamfortress.org/