Reputation: 1812
LDAP best way to assign Roles to users
Is their any standard way to set user roles and permissions.
Option 1: Create group and assign members in that.
My people dn is as follows .
DN: uid=55e44a75e4b0f16711714165,ou=people,dc=cofinding,dc=com
I created Groups for roles. and assign members in that
DN: cn=ADMIN,ou=roles,dc=cofinding,dc=com
And added members here who has role ADMIN. Near about 50K members added in ADMIn role.
Option 2 :Add custom Value role in people .e.g. I created dn as user_role
DN: uid=55e44a75e4b0f16711714165,ou=people,dc=cofinding,dc=com
In people we can add user_role=ADMIN,MASTER_ADMIN
Is their any other option or standard practice . As roles are very important in any authentication process.
Upvotes: 3
Views: 28802
Answers (2)
Reputation: 633
There is another option that's kind of a hybrid between options #1 and #2. Instead of using static groups (Option 1) you can use the so-called dynamic groups, or groups of URLs:
dn: cn=ADMIN,ou=roles,dc=cofinding,dc=com
objectClass: top
objectClass: groupOfURLs
cn: ADMIN
memberURL: ldap:///ou=people,dc=cofinding,dc=com??sub?user_role=ADMIN
The memberURL is a filter that determines which users belong to the group based on a certain attribute value and a base DN. In the example above, every user under ou=people,dc=cofinding,dc=com with the attribute user_role=ADMIN will automatically be added to the ADMIN group. Here is a sample admin user:
dn: uid=55e44a75e4b0f16711714165,ou=people,dc=cofinding,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
sn: Doe
uid: 55e44a75e4b0f16711714165
user_role: ADMIN
With this approach you get the best from both options (#1 and #2):
- Your group entries don't grow in size.
You can query the group to get the list of members:
$ ldapsearch -p 1389 -D "cn=directory manager" -w password -b "cn=ADMIN,ou=roles,dc=cofinding,dc=com" "(objectClass=groupOfURLs)" dn: cn=ADMIN,ou=roles,dc=cofinding,dc=com cn: ADMIN memberURL: ldap:///ou=people,dc=cofinding,dc=com??sub?user_role=ADMIN member: uid=55e44a75e4b0f16711714165,ou=people,dc=cofinding,dc=comYou can use the memberOf virtual attribute in your search filters:
(memberOf=cn=ADMIN,ou=roles,dc=cofinding,dc=com)
Upvotes: 3
Reputation: 3300
First of all: roles have nothing to do with authentication, they are used in the authorization process. When authenticating, the system verifies who the user is based on some set of credentials; once this has been established the roles are consulted in the authorization process to determine whether the user should be granted access to some specific resource.
Answering your question on roles: Both ways would work. The first approach is probably the most common one (and most in line with the way things are normally structured in LDAP. Take a look at the groupOfNames and groupOfUniqueNames objectclasses for representing your role). Depending on the use case I would argue that the latter is probably more practical in many cases, but you need to take into account that it's not quite the standard 'LDAP way' of doing things.
Upvotes: 6
Related Questions
- What are CN, OU, DC in an LDAP search?
- How to read nested groups in OpenLdap connected to Keycloak
- Handling auto-assign of project and members role for LDAP Users in Report Portal
- Query LDAP to get Role of a User
- Using LDAP Authentication but ModelBackend Authorisation
- What are the differences between LDAP and Active Directory?
- Are GROUPS and ROLES the same thing in OpenDJ LDAP?