Role-based security implementation in LDAP

7
votes

I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

  • Users
  • Corporate groups of users - HR, Finance etc.
  • Permissions - DOCUMENT_READ, DOCUMENT_MODIFY etc.
  • Roles - ADMIN, GUEST etc.

Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.

I was thinking of representing them in LDAP as folows:

  • Users - Person and uidObject classes with userPassword attribute.
  • Groups of users - organizationalUnit class, under which the users are located.
  • Roles - groupOfNames object class.
  • Permissions - not sure about this one, perhaps also groupOfNames class.

The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?

Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.

3
javaldaprbacapacheds

3 Answers

9
votes

Users: inetOrgPerson

Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)

OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.

2
votes

One more option: check out attribute-based access control (). ABAC is an evolution of RBAC. It uses attributes (which are labels about the user, the resource, the context) and policies to determine what is allowed and what isn't.

Example: A user with the role==manager in the department==sales can do the action==edit on a document of type==purchase order if the PO's amount<=the user's approval limit.

You can read more on ABAC at the NIST website.

0
votes

Check out Fortress. It is ANSI RBAC INCITS 359 compliant and built on LDAP. The source code is open source and you can pull down pre-built binaries that include OpenLDAP from here: http://iamfortress.org/