October 15th, 2009, 01:17 PM
Application Permissions with LDAP
Hello, I'm new to LDAP so I need some help with best practices. We have LDAP set up to support single sign on for our internet applications we are developing at work. What we want to do is set up user permissions so that certain people can only see certain things in each application. What is the best way of doing this in LDAP? Is there a way to set up groups or something like that?
October 21st, 2009, 08:38 AM
yea, it must be specify gid's for those uid's
October 22nd, 2009, 03:24 PM
A best practice would be to only use LDAP Groups when your planning to support less than 5000 uniquemembers in any one group. If your group membership will be greater than 5000 then use a database for authorization. if your going to have more than one ldap group used to authorize users do not exceed 200 users per group and do not exceed 40 groups for any one application. To exceed either of these limits will severely decrease performance of the LDAP group searches. If you need to exceed 40 groups and more than 200 members per group then use an LDAP attribute for authorization and do not search the groups for membership. The attribute 'memberOf' or 'isMemberOf' is usually populated with the DN of the groups in which the user is a uniquemember.