LDAP中基于角色的安全性实现 [英] Role-based security implementation in LDAP

问题描述

我正在研究LDAP和Java中基于角色的安全性实现.具体来说，我需要在LDAP中表示以下对象:

I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

• 用户
• 企业用户组-人力资源，财务等
• 权限-DOCUMENT_READ，DOCUMENT_MODIFY等.
• 角色-管理员，来宾等

角色基本上是一组权限，可以将它们分配给一个用户或一组用户.

Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.

我正在考虑将它们在LDAP中表示为以下内容:

I was thinking of representing them in LDAP as folows:

• 用户-具有userPassword属性的Person和uidObject类.
• 用户组-organizationalUnit类，用户在该类下 找到.
• 角色-groupOfNames对象类.
• 权限-对此不确定，也许也不确定groupOfNames 课.

• Users - Person and uidObject classes with userPassword attribute.
• Groups of users - organizationalUnit class, under which the users are located.
• Roles - groupOfNames object class.
• Permissions - not sure about this one, perhaps also groupOfNames class.

该想法是使用户或组可以快速访问该用户或组所具有的角色列表.我知道我可以将用户和组放在角色的成员"属性中，但是随后我将不得不扫描所有角色以查找列出了该用户的角色.有没有办法在Person对象中具有类似于"member"属性的内容?

The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?

通常，有人知道LDAP中基于角色的良好安全性实现吗?我找不到有关此主题的优质文档或教程.我目前正在使用ApacheDS作为LDAP服务器，但是我愿意接受建议.

Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.

推荐答案

用户:inetOrgPerson

Users: inetOrgPerson

Collections:organizationalUnit，但是要当心试图在LDAP目录中复制您的组织结构:这通常是一个错误，因为组织会发生变化并且用户会在组织中四处移动.您应该考虑使用ou 属性.

Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

角色:organizationalRole.我使用角色组作为groupOfUniqueNames，但这是一个错误，我应该继续使用organizationalRole，以便角色只是递归的.

Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

权限:这实际上只是一个角色，或者是角色的属性.如果您使用CMA，则它们是在web.xml中定义的，而不是在LDAP中定义的.

Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

正如我所说，请勿尝试使您的LDAP树反映您的组织.使它成为自己的组织的镜像.我在必要时使用多值属性.我主要将organizationalUnit用于LDAP本身内部的层，或者在上面违反规则的地方;-)

As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)

OpenLDAP具有参照完整性覆盖层，可以使您直截了当.

OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

Matt Butcher的 Mastering OpenLDAP 中有一些关于LDAP结构的很好的提示，Howes的理解和部署LDAP目录服务中对此有更高级的了解. 等.

There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.

这篇关于LDAP中基于角色的安全性实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！