Hello the list,
I have to use LDAP to define access permissions for many third parties applications.
So, I wonder what is the best way to organize my LDAP tree. I see two possibilities :
- Set a LDAP group for each access level of each application, and create users that belongs to those groups. ex : GlobalServiceGroup | |__Application1Group | |__guestGroup | | |__user1 | | |__user2 | |__userGroup | | |__user3 | | |__user4 | |__adminGroup | |__Application2Group |__devTeamGroup | |__user1 | |__user2 | |__user3 | |__user4 |__testTeamGroup |__adminTeamGroup
The problem of this solution is that I have to set a lot of groups, so my LDAP tree would became very complex to administrate.
- Another way would be to define my own LDAP classes, with an attribute for each application that define the access level (guest, user, admin, etc). The problem of this solution is that I'm not anymore in the standard LDAP schema, and loose interoperability with standards LDAP clients.
What is the best way to set that. Is there is another possibility than the two I mentioned before ?
Thank you !
Ben