Le 08/02/2018 à 16:03, damian.ba...@t-systems.com a écrit :
> ?Hello All,
>
>
> I'm Damian Baran and I work for T-Systems. I don't have a lot of experience
> with LDAP, just basic knowledge. I have setup my own local testlab with
> Apache DS as LDAP serever, Apache Directory Studio as LDAP browser and some
> local instances of tools we use in our company. During this exploration I got
> idea that most of the "digital tools" out there use user/group/role
> permission model. What I don't understand is why these tools doesn't support
> such deep LDAP integration? Why you can't just manage users, groups, roles
> and permissions in one place in LDAP and just configure tool to retrieve this
> data from LDAP?
probably because everybody like to reinvent the wheel ;-)
>
>
> BTW I don't know if LDAP have such possibilities to fully take over
> management of users, groups, roles and permissions for different tools (web
> apps). Do you have some experience with that??
Actually, managing entities like user/group/roles is well defined by
RBAC (Role Bases Access Control :
https://en.wikipedia.org/wiki/Role-based_access_control).
The Apache Directory Fortress project is a Java API that relies on LDAP
to store its data, and teh API offers everything you might want to do
wrt user/group/permissions.
Also note that user/group/permission is an operating system concept, and
it's really limited. There is nothing, for instance, related to
expiration, delegation, etc, which are parts of user management.
Shawn might want to add something to what I wrote (he is teh man behind
Fortress).
Hope it helps.
--
Emmanuel Lecharny
Symas.com
directory.apache.org