Home/ Questions/Q 6804387
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T19:27:34+00:00

I’m working on role-based security implementation in LDAP and Java. Specifically, I have the

  • 0

I’m working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

  • Users
  • Corporate groups of users – HR, Finance etc.
  • Permissions – DOCUMENT_READ, DOCUMENT_MODIFY etc.
  • Roles – ADMIN, GUEST etc.

Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.

I was thinking of representing them in LDAP as folows:

  • Users – Person and uidObject classes with userPassword attribute.
  • Groups of users – organizationalUnit class, under which the users are
    located.
  • Roles – groupOfNames object class.
  • Permissions – not sure about this one, perhaps also groupOfNames
    class.

The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a “member” attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the “member” attribute in a Person object?

Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I’m using ApacheDS as an LDAP server currently, but I’m open to suggestions.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Users: inetOrgPerson

    Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

    Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

    Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

    As I said, don’t try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above 😉

    OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

    There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.

    • 0