[Infrastructures] authentication of groups of users

Pete Ehlke pde-infrastructures@rfc822.net
Wed, 4 May 2005 19:31:48 -0500 

On Tue May 03, 2005 at 08:53:26 +0200, Nils Ketelsen wrote:
>Joel Huddleston wrote:
>
>>>But what with using LDAP as directory server and authentication
>>>server? What can you do to accomplish the same effect?
>> 
>> LDAP (and even Hesiod and NIS+) is a hierarchical system, that is, tree
>> structured. It is possible to store your users into structural groups and
>> select which hosts use which groups in order to limit access. It is my
>
>But if I had a user who needs access to two applications I would have to
>keep his data in two places (because he is in two ous). Tree structures
>suck, but as LDAP is what most systems are able to do, I am currently
>trying a different design, where under the user-object there is a set of
>account-objects containing username/userpassword and whatever else the
>application in question requires as information for this user.

Jumping in late here, and I missed the start of this thread, so
apologies if I tread on covered ground...

So this is a classic case of the difference between authentication and
authorization; and it seems to be (from the preceeding paragraph) very
similar to an architecture that I maintain in my current gig.

The classic method for using LDAP authentication at the OS level,
maintaining a single People tree and differentiating who has access to
which systems, is to emulate classic NIS netgroups in LDAP. This is
fairly well documented in the SunONE LDAP server (sorry, I know
virtually nothing of OpenLDAP or Tivoli), but a useful and concise
recent summary can be found at
http://swforums.sun.com/jive/thread.jspa?threadID=52764&tstart=0

If you have (as I assume from the paragraph above) in-house apps that
can leverage LDAP for authentication and authorization, the following
works quite well for us:

Add an attribute to each Person, call it applicationAccess. This
attribute should be readable by the user (and possibly anonymously,
depending on paranoia and needs), but writeable only by authorized
admins. As part of application authentication, have your app read the
user's applicationAccess attribute, and grant or deny acess based on the
values it finds there.

The architecture works quite well for us, and has proven to scale very
well into the thousands of users doing up to millions of LDAP requests
per day.

-Pete