active-directoryldapopenldapapacheds

Grouping LDAP users with custom attribute


I have a web application and I want to control which user can see what data. So I thought a user can belong to a group (ie. DBA, Middleware specialist, UNIX guys, etc.) and the logged in user can only see its data in the app.
I want LDAP to do the authentication. I assume there aren't such groups specified in LDAP (ie. I don't want to use LDAP groups as I cannot force the company LDAP to create groups and put the users in those groups).

What I think of is a flexible solution like being able to use a custom attribute on each user (let's say named 'acces_groups') what the groups can be enlisted comma separated string.
I read that the schema of an objectClass (like organizationalPerson) has to be altered to do that. But is there an easy way to add such a custom attribute to a user in LDAP (I am talking about an already working company LDAP)? Or how would you solve this (without disrupting/breaking the current LDAP)? I didn't say what kind of LDAP (OpenLDAP, active Directory, etc.) for a reason as I'd want a common solution here.


Solution

  • These are two possible solutions/implementations :