Is LDAP a good idea?

  • Thread starter Thread starter Peter Morris
  • Start date Start date
P

Peter Morris

A customer wants to use LDAP for managing permissions on a software app I am
helping to write. I am not familiar with LDAP but my basic understanding is
that it will allow me to specify groups and users, and then assign groups to
users to give them certain permissions.

A concern I have though lies in one of the requirements. A specific user or
group can be limited to editing an explicit list of items (of which there
are hundreds, maybe thousands). If I weren't using LDAP I could easily
manage users + groups in my DB and have a foreign key relationship
identifying which items a user can edit, but if LDAP stores the permissions
data instead of asking my app for it then how can it possibly know about the
individual items in order to grant/deny access?

Is LDAP not a suitable tool for this solution, or am I able to get it to use
an API of some kind so that it can read/write data via an assembly I
provide?


Thanks
 
Peter, consider using LDAP to control overall access to the application (:
i.e., is the user authorized to use the application at all), and then use
your database or other data store that you manage for fine-grained control
of editing permissions for individual items.

Or if your editable objects can be organized into a reasonably small number
of classes or groups, you might also use LDAP to grant access in a
role-based system of your own design. Then in your own database, or your
code, you can link the role to the individual items that a user in that role
can edit. The per-user role assignments could reside in the LDAP data store,
but the fine-grained control would still reside outside LDAP.

Tom Dacon
Dacon Software Consulting
 
Hi Tom

Thanks for your reply! In your opinion then is it impossible to plug into
LDAP in some way to make it aware of the data?


Regards
 
Peter, I can't say that for sure, so I don't want to wave you off, in case
there might be something I'm missing or don't know about.

I haven't personally done any LDAP since the late Visual Studio 6 days, so I
can't comment on what resources .Net gives us. Hopefully this thread will
draw attention from someone who's using it with .Net.

Tom
 
You might try Microsoft newsgroups with the string "adsi" in them, such as
microsoft.public.adsi.general.

Good luck,
Tom
 
Back
Top