1

I configured LDAP server on my Linux machine and create users/group accordingly as required. I have different groups like: admin/managers/executive/developers/users/clients.

Now I have around 10 different application in PHP/Java on running on live-server. How can I configure that some application can only accessible or edit by specific to group's user. For Example. If the user A is from the group Admin->Is allow some pages/functions to access and can edit as well while client or user have limited access (only can view some pages) while Developer can edit the information too.

Maybe: I know, but a silly question. Which group to authenticate (login process) at application level is set at application server level (Apache in PHP)?

Sarz
  • 127
  • 1
  • 10

1 Answers1

0

This question is quite old but I'll give in my experience.

Use LDAP for authentication, not for authorization. This means that the PHP app should authenticate a user against the LDAP server and grant authorization based on internal policies (validated against groups the user may be in, for instance). Most web frameworks out there should provide a wide variety of LDAP authentication libraries. This way, authorization is decentralized and simplified in medium/long term.

In case of application directly run on a client machine, note that LDAP will preserve posix groups and the following question could help: How can I restrict program access to other users?

Community
  • 1
abstrus
  • 151