1

We have a legacy system that uses a resource/action based authorization. Recently our company has decided to use a LDAP server as a repository for both Authentication and Authorization.

I haven't worked with LDAP servers before but as far as I have learned we can define our schema for different objects.So I have searched the Net for a simple example of implementation of a resource/action based authorization using LDAP and I haven't found anything (Everybody is talking about users,group and roles)

So two questions come to my mind :

  1. Is it a good idea to use LDAP for a resource-action based authorization (Since I could not find a good example of how to do that)
  2. If yes, how can we implement it? (Any google result would help :) )

PS: Our application is written in C#. Are there any good open source LDAP client out there that we can use or we should go with .Net DirectoryServices ?

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Beatles1692
  • 5,214
  • 34
  • 65
  • 1
    Specifically, why would you ever define your own schema in LDAP? The customers typically use LDAP when they have an infrastructure and/or they have a management team (e.g. helpdesk) and they want to control access to your app by changing things in LDAP. So typically you would define e.g. group memberships or the like for authorization and just do a .Bind() on a LDAP Server with username/password for authentication. – zaitsman Mar 01 '15 at 10:31
  • 1
    I think this could be the answer to my first question :) – Beatles1692 Mar 01 '15 at 11:49

2 Answers2

2

LDAP is very flexible and you can define whatever schema you want but it's not an obvious task.

I would say it's very suitable for your case but I know of no default schema for that. Googling a bit , I found this RFC which might give you a starting point. Would that match what you need?

Regarding .Net library: is it a "pure" LDAP server or an Active Directory server ?
It seems DirectoryServersupports both so I would stick with it. Note that for a pure LDAP server, you would have to connect using System.DirectoryServices.Protocols.LdapConnection.

SO entries like this one would probably be helpful too.

Hope this helps.

Community
  • 1
  • 1
tgo
  • 1,515
  • 7
  • 11
  • 1
    Thanks :) How I can search for other RFCs ? – Beatles1692 Mar 01 '15 at 09:51
  • 1
    you can google with this `ldap site:www.rfc-base.org` but there is going to be a lot of noise ... I am familiar with LDAP but not `resource-action based authorization` per se. To be honest, users/groups looks good to me :) – tgo Mar 01 '15 at 10:03
2

You can take a step back and look at the bigger access control / authorization use case. IF you want to do resource-action based authorization, you can roll out ABAC, the attribute-based access control model.

ABAC is an evolution of RBAC and identity-centric authorization. It was designed by NIST, the same organization that standardized RBAC.

With ABAC, your LDAP server becomes a source of attributes. An attribute is simply a key-value pair. The benefit if using ABAC in your case is that you do not need to extend or change your LDAP schema.

With ABAC, you achieve the following benefits:

  • you externalize the authorization logic to a central policy decision point
  • you express the authorization logic as policies instead of roles
  • the policies can use any attribute of the user, resource, action, and context

You can express the following scenarios in ABAC:

  • a user with the role==manager can do the action==edit on a document if the document.location==user.location

XACML, the eXtensible Access Control Markup Language implements ABAC. You can read more on XACML and ABAC here:

You will need to deploy an interceptor (policy enforcement point) in front of the applications you want to protect.

David Brossard
  • 13,584
  • 6
  • 55
  • 88