Is LDAP a good idea?

P

Peter Morris

A customer wants to use LDAP for managing permissions on a software app I am
helping to write. I am not familiar with LDAP but my basic understanding is
that it will allow me to specify groups and users, and then assign groups to
users to give them certain permissions.

A concern I have though lies in one of the requirements. A specific user or
group can be limited to editing an explicit list of items (of which there
are hundreds, maybe thousands). If I weren't using LDAP I could easily
manage users + groups in my DB and have a foreign key relationship
identifying which items a user can edit, but if LDAP stores the permissions
data instead of asking my app for it then how can it possibly know about the
individual items in order to grant/deny access?

Is LDAP not a suitable tool for this solution, or am I able to get it to use
an API of some kind so that it can read/write data via an assembly I
provide?


Thanks
 
T

Tom Dacon

Peter, consider using LDAP to control overall access to the application :)
i.e., is the user authorized to use the application at all), and then use
your database or other data store that you manage for fine-grained control
of editing permissions for individual items.

Or if your editable objects can be organized into a reasonably small number
of classes or groups, you might also use LDAP to grant access in a
role-based system of your own design. Then in your own database, or your
code, you can link the role to the individual items that a user in that role
can edit. The per-user role assignments could reside in the LDAP data store,
but the fine-grained control would still reside outside LDAP.

Tom Dacon
Dacon Software Consulting
 
P

Peter Morris

Hi Tom

Thanks for your reply! In your opinion then is it impossible to plug into
LDAP in some way to make it aware of the data?


Regards
 
T

Tom Dacon

Peter, I can't say that for sure, so I don't want to wave you off, in case
there might be something I'm missing or don't know about.

I haven't personally done any LDAP since the late Visual Studio 6 days, so I
can't comment on what resources .Net gives us. Hopefully this thread will
draw attention from someone who's using it with .Net.

Tom
 
T

Tom Dacon

You might try Microsoft newsgroups with the string "adsi" in them, such as
microsoft.public.adsi.general.

Good luck,
Tom
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP / MembershipProvider 2
LDAP and Sybase connection using C# 2
Exception at DirectorySearcher.FindOne 1
Iterate and List Members of an NT Group with LDAP 2
LDAP path to server and a user group 2
Active Directory and LDAP 4
How can i connect LDAP and query AD to authorize Domain User Name and Password? 0
LDAP and Check Names 3

Top