directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Management of users groups roles and permissions for different tools (web apps)
Date Thu, 08 Feb 2018 15:42:46 GMT


Le 08/02/2018 à 16:03, Damian.Baran@t-systems.com a écrit :
> ?Hello All,
> 
> 
> I'm Damian Baran and I work for T-Systems. I don't have a lot of experience with LDAP,
just basic knowledge. I have setup my own local testlab with Apache DS as LDAP serever, Apache
Directory Studio as LDAP browser and some local instances of tools we use in our company.
During this exploration I got idea that most of the "digital tools" out there use user/group/role
permission model. What I don't understand is why these tools doesn't support such deep LDAP
integration? Why you can't just manage users, groups, roles and permissions in one place in
LDAP and just configure tool to retrieve this data from LDAP?

probably because everybody like to reinvent the wheel ;-)

> 
> 
> BTW I don't know if LDAP have such possibilities to fully take over management of users,
groups, roles and permissions for different tools (web apps). Do you have some experience
with that??

Actually, managing entities like user/group/roles is well defined by
RBAC (Role Bases Access Control :
https://en.wikipedia.org/wiki/Role-based_access_control).

The Apache Directory Fortress project is a Java API that relies on LDAP
to store its data, and teh API offers everything you might want to do
wrt user/group/permissions.

Also note that user/group/permission is an operating system concept, and
it's really limited. There is nothing, for instance, related to
expiration, delegation, etc, which are parts of user management.

Shawn might want to add something to what I wrote (he is teh man behind
Fortress).

Hope it helps.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message