I want to make a authentication system using LDAP for my multiple machines.

I have created a basic structure but I’m not sure if it is the best solution or not.

Base:

I have machines M1, M2, M3, M5 (which have database D1, D2 & D3 in them)

List of users U1, U2, U3, U4, U5, U6, U7, U8, U9, U10

type of user – reader(machine specific), writer(machine specific), Manager

Requirements:

Every machine can have reader and writer set of users

Write user are like admins of their respective machines

read user have very limited permission and can read few database out of available databases

Approach used:

created a node which contain list of all user with their password information also allowed databases

created Manager role with list of roleoccupents

created 2 role (reader, writer) for each machine with respective roleoccupents

defined access control

Now, to when a user say U1 tries to read database D2 of machine M4…first he have to be in list of users, then he have to be roleoccupent or reader/writer role of M4 machine…

My problem arises here

1.To check if he is allowed to read database D2 or not we have to search user node to get database information and see if it contain D2 as allowed.

Other problem is that

2. if i want to delete a user, it is easy to delete from user node but roleoccupent entries will not be deleted that easily.
(I have to search in each servers reader and writer role to check if he is a roleoccupent or not)

So is there a better way to design the DIT so that no. of steps in managing ldap information are reduced??

…and any better way to check database access??