I have a web application and I want to control which user can see what data. So I thought a user can belong to a group (ie. DBA, Middleware specialist, UNIX guys, etc.) and the logged in user can only see its data in the app.
I want LDAP to do the authentication. I assume there aren't such groups specified in LDAP (ie. I don't want to use LDAP groups as I cannot force the company LDAP to create groups and put the users in those groups).
What I think of is a flexible solution like being able to use a custom attribute on each user (let's say named 'acces_groups') what the groups can be enlisted comma separated string.
I read that the schema of an objectClass (like organizationalPerson) has to be altered to do that. But is there an easy way to add such a custom attribute to a user in LDAP (I am talking about an already working company LDAP)?
Or how would you solve this (without disrupting/breaking the current LDAP)?
I didn't say what kind of LDAP (OpenLDAP, active Directory, etc.) for a reason as I'd want a common solution here.
These are two possible solutions/implementations :
What you supposed : You can add a schema and not alter the organizationalPerson
objectClass. (Because altering an already established schema will make your LDAP not standart)
Then you add this objectClas to all your users to allow them to use the attributes defined by this schema.
You can define the acces_groups
attribute and make it multi-value. You could also define one attribute per flag you need dba
, middleware
, etc. and make it a boolean, etc.
Why I would not do any this :
Using groups : You can indeed create groups such as dba
, middleware
, etc. and assign the users to those groups.