Hello the list,
I have to use LDAP to define access permissions for many third parties applications.
So, I wonder what is the best way to organize my LDAP tree. I see two possibilities :
- Set a LDAP group for each access level of each application, and create users that belongs to those groups. ex : GlobalServiceGroup | |__Application1Group | |__guestGroup | | |__user1 | | |__user2 | |__userGroup | | |__user3 | | |__user4 | |__adminGroup | |__Application2Group |__devTeamGroup | |__user1 | |__user2 | |__user3 | |__user4 |__testTeamGroup |__adminTeamGroup
The problem of this solution is that I have to set a lot of groups, so my LDAP tree would became very complex to administrate.
- Another way would be to define my own LDAP classes, with an attribute for each application that define the access level (guest, user, admin, etc). The problem of this solution is that I'm not anymore in the standard LDAP schema, and loose interoperability with standards LDAP clients.
What is the best way to set that. Is there is another possibility than the two I mentioned before ?
Thank you !
Ben
--On Thursday, January 31, 2008 10:56 AM +0100 Benjamin Watine watine@cines.fr wrote:
What is the best way to set that. Is there is another possibility than the two I mentioned before ?
Dynamic groups.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Thursday, January 31, 2008 10:56 AM +0100 Benjamin Watine watine@cines.fr wrote:
What is the best way to set that. Is there is another possibility than the two I mentioned before ?
Dynamic groups.
Read mroe about them at:
man slapo-dynlist man slapd.access
openldap-technical@openldap.org
-
Benjamin Watine -
Gavin Henry -
Quanah Gibson-Mount