LDAP授权 [英] LDAP authorization

问题描述

对于某些现有系统，我开始使用LDAP实现授权和认证机制.在开发阶段，我面临一个艰难的设计决策:应将用户角色存储在哪里?

I'm starting to implement authorization and authentication mechanism using LDAP, for some existing system. On the development stage, I'm facing a difficult design decision: where should user roles be stored?

如果我使用RDBMS，则看起来将有三个表: user ， role 和 user_role 来映射角色和用户.

If I used RDBMS, it looks like there will be three tables: user, role and user_role to map roles and users.

请提出可用的解决方案.我考虑将用户角色存储在数据库中，将用户存储在LDAP中，但是不确定这是否是最佳解决方案.我将JBoss用作我的应用程序服务器.

Please suggest available solutions. I think about storing the user roles in DB and users in LDAP, but not sure if that is the best solutions. I use JBoss as my application server.

推荐答案

从体系结构的角度来看，您有多种解决方案.这是一种将所有数据保存到目录中的解决方案.

On the architectural point of view, you've got multiples solutions. Here is a solution that keeps all your data into a Directory.

在目录中，您可以使用类中具有组"含义的对象(如groupOfNames或group)(取决于目录)对角色"进行编码.用户专有名称(DN)将在这些对象的多值属性(通常为member)中进行编码.反过来，角色"对象DN可以编码为用户对象的多值属性(Ex:memberof)

In your Directory you can code your 'Roles' with objects from a class with the meaning of "group" like groupOfNames or group (depending on you Directory). Users Distinguisched Names (DN) will them be coded in a multivalued attribute of these objects (generally member). The 'Role' object DN can be, in return, coded in a multivalued attribute of the user object (Ex : memberof)

在目录支持引用完整性的情况下，它可以充当系统目录.然后，member和memberOf属性可以由目录本身管理.这意味着，如果您将用户从组织单位转移到另一个组织单位，则目录将刷新该用户所属的角色"对象的member属性.

In the case your Directory support referential integrity, it can act as a system Directory. Then member and memberOf attributes can be managed by the Directory itself. This mean that if you move a user from an Organizational Unit to an other one, the Directory is going refresh the member attribute of the 'Role' objects the user belongs to.

在另一种情况下(无参照完整性)，您的应用程序必须管理属性完整性.

In the other case (no referencial integrity) your application has to manage the attribute integrity.

虽然很短，但希望对您有所帮助.

It's short but I hope it help.

已编辑

请三思而后行，我向您推荐 Apache Directory Studio ，(对我而言)最好的LDAP浏览器.通过此工具，您可以查看目录并更深入地学习LDAP.我使用这个工具向您展示ADAM(Active Directory应用程序模式)免费的Microsoft Directory编码角色"的方式

Thirst off all I recomend you Apache Directory Studio , that is (for me) one of the best LDAP Browser. tHis tool will allow you to see your Directory and to learn LDAP more freindly. Using this tool I show you the way ADAM (Active Directory Application Mode) the free Directory of Microsoft code the 'Roles'

在第一张图片中，您可以看到AdminAdam作为Administrators组的成员:

In the first picture you can see AdminAdam as a member of the administrators group :

在第二张图片中，您可以看到用户adminAdam的属性memberof中该组的存在.

In this second picture, you can see the presence of the group in the attribute memberof of the user adminAdam.

ADAM支持参照完整性.

ADAM is suporting referencial Integrity.

这篇关于LDAP授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！