Modeling RBAC actors using LDAP (Core X.5xx)

Posted by Tetsujin no Oni on Server Fault See other posts from Server Fault or by Tetsujin no Oni
Published on 2009-05-29T15:38:16Z Indexed on 2010/05/10 4:49 UTC
Read the original article Hit count: 454

Mirrored from stackoverflow...

When implementing an RBAC model using an LDAP store (I'm using Apache Directory 1.0.2 as a testbed), some of the actors are obviously mappable to specific objectClasses:

Resources - I don't see a clear mapping for this one. applictionEntity seems only tangentially intended for this purpose Permissions - a Permission can be viewed as a single-purpose Role; obviously I'm not thinking of an LDAP permission, as they govern access to LDAP objects and attributes rather than an RBAC permission to a Resource Roles - maps fairly directly to groupOfNames or groupOfUniqueNames, right? Users - person In the past I've seen models where a Resource isn't dealt with in the directory in any fashion, and Permissions and Roles were mapped to Active Directory Groups.

Is there a better way to represent these actors? How about a document discussing good mappings and intents of the schema?

© Server Fault or respective owner

Related posts about ldap

Related posts about rbac