CODEWITHSUNDEEP
ldap
dtrunk
dtrunk

Reputation: 4805

use custom attributes in openldap

I'm trying to add a custom attribute to my openldap structure, to store the role for each user for later handling of my spring web application users.

There are only 3 roles: admin, manager and viewer. Is it possible to add any rule for this?

And how to fix the below mentioned error?

# CUSTOM ATTRIBUTE
dn: cn=schema,cn=config
changeType: modify
add: attributeTypes
attributeTypes: (
  2.25.128424792425578037463837247958458780603.1
  NAME 'role'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
 )
-
add: objectClasses
objectClasses: (
  2.25.128424792425578037463837247958458780603.2
  NAME 'rolePerson'
  SUP person
  AUXILIARY
  MUST ( role )
 )

# USERS
dn: ou=people,dc=ubuntu,dc=local
objectClass: organizationalUnit
ou: people

dn: cn=demo_admin,ou=people,dc=ubuntu,dc=local
objectClass: rolePerson
userPassword: {MD5}fe01ce2a7fbac8fafaed7c982a04e229
uid: demo
cn: demo
sn: demo
role: admin

Output of ldapadd -x -W -D "cn=admin,dc=ubuntu,dc=local" -f roleuser.ldif:

modifying entry "cn=schema,cn=config"
ldap_modify: Invalid syntax (21)
    additional info: attributeTypes: value #0 invalid per syntax

Upvotes: 2

Views: 2946

Answers (2)

András Aszódi
András Aszódi

Reputation: 9660

How about "separating the concerns"? The LDAP should be responsible of storing user information and supporting authentication , i.e. deciding if the user is indeed who s/he claims to be. Roles, however, differ from application to application, because they authorize known users to perform various activities.

It is probably a better idea to let each application manage their own set of roles and map the authenticated users to roles and activities/permissions according to the app's needs.

Set up this way your LDAP can be used for several apps. If you want to store role information in the LDAP, you would need another LDAP if you write a new app. Or your LDAP will get quite complex in time.

Defining groups in an LDAP is of course useful if you can expect a collection of users playing the same role in a set of applications. Then your apps can link their roles to user groups, not just to individual users. But the principle remains the same.

Upvotes: 0

Sam Corder
Sam Corder

Reputation: 5422

This type of thing is better handled using groups. If you couple it with the referential integrity module and the module that maintains the membership data on the user object it will give you the same benefit in a more standard way.

Upvotes: 1

Related Questions