LDAP 授权 [英] LDAP authorization

问题描述

我开始使用 LDAP 为一些现有系统实现授权和身份验证机制.在开发阶段，我面临一个艰难的设计决策:用户角色应该存储在哪里?

I'm starting to implement authorization and authentication mechanism using LDAP, for some existing system. On the development stage, I'm facing a difficult design decision: where should user roles be stored?

如果我使用 RDBMS，看起来会有三个表:user、role 和 user_role 来映射角色和用户.

If I used RDBMS, it looks like there will be three tables: user, role and user_role to map roles and users.

请提出可用的解决方案.我考虑将用户角色存储在 DB 中，将用户存储在 LDAP 中，但不确定这是否是最佳解决方案.我使用 JBoss 作为我的应用服务器.

Please suggest available solutions. I think about storing the user roles in DB and users in LDAP, but not sure if that is the best solutions. I use JBoss as my application server.

推荐答案

从架构的角度来看，您有多种解决方案.这是一个将所有数据保存到目录中的解决方案.

On the architectural point of view, you've got multiples solutions. Here is a solution that keeps all your data into a Directory.

在您的目录中，您可以使用具有组"含义的类中的对象对您的角色"进行编码，例如 groupOfNames 或 group(取决于您的目录).用户可分辨名称 (DN) 将它们编码在这些对象的多值属性中(通常是 member).作为回报，角色"对象 DN 可以编码在用户对象的多值属性中(例如:memberof)

In your Directory you can code your 'Roles' with objects from a class with the meaning of "group" like groupOfNames or group (depending on you Directory). Users Distinguisched Names (DN) will them be coded in a multivalued attribute of these objects (generally member). The 'Role' object DN can be, in return, coded in a multivalued attribute of the user object (Ex : memberof)

如果您的目录支持参照完整性，它可以充当系统目录.然后 member 和 memberOf 属性可以由 Directory 本身管理.这意味着如果您将用户从一个组织单位移动到另一个组织单位，目录将刷新该用户所属的角色"对象的 member 属性.

In the case your Directory support referential integrity, it can act as a system Directory. Then member and memberOf attributes can be managed by the Directory itself. This mean that if you move a user from an Organizational Unit to an other one, the Directory is going refresh the member attribute of the 'Role' objects the user belongs to.

在另一种情况下(没有引用完整性)，您的应用程序必须管理属性完整性.

In the other case (no referencial integrity) your application has to manage the attribute integrity.

虽然很短，但希望对您有所帮助.

It's short but I hope it help.

编辑

我向你推荐 Apache Directory Studio ，这是(对我来说)其中之一最好的 LDAP 浏览器.该工具将允许您查看您的目录并更友好地学习 LDAP.使用此工具，我向您展示了 ADAM(Active Directory 应用程序模式)Microsoft 的免费目录编码角色"的方式

Thirst off all I recomend you Apache Directory Studio , that is (for me) one of the best LDAP Browser. tHis tool will allow you to see your Directory and to learn LDAP more freindly. Using this tool I show you the way ADAM (Active Directory Application Mode) the free Directory of Microsoft code the 'Roles'

在第一张图片中，您可以看到 AdminAdam 是管理员组的成员:

In the first picture you can see AdminAdam as a member of the administrators group :

在第二张图片中，您可以在用户 adminAdam 的属性 memberof 中看到该组的存在.

In this second picture, you can see the presence of the group in the attribute memberof of the user adminAdam.

ADAM 支持参照完整性.

ADAM is suporting referencial Integrity.

这篇关于LDAP 授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！