I am developing a web application and I have a requirement to use LDAP for authentication / authorization purposes.
I have limited experience with LDAP and I would like to understand how one goes about defining models, or using existing models if any are established to store authorization information in an LDAP server. By looking at various LDAP servers it seems to me that although authentication is handled, more or less, in the same way, authorization is LDAP server-specific, and perhaps even application-specific.
For instance I've seen an Oracle Internet Directory model where groups are used to indicate roles and a group's users appeared as a multiple-value attribute in that group's (i.e. role's) entry. I've also seen models where the symmetric method is used in a Microsoft Active Directory installation, i.e. the groups and permissions a user belongs to are indicated as a multiple-value attribute in the user's entry. So my questions are:
[1] are there any established/prominent models on how to organize authorization information on an LDAP server?
[2] if such exist can I then rely on existing tools for managing roles, permissions and users? The idea being that I hand that tool over to the client's administrator without having to also develop a custom groups/roles/privilleges/users management front-end module myself.
Other than groups there are no "patterns" that are consistent across LDAP server implementations.
RBAC covers the theory of Role Based Access Control, but the implementations vary widely across implementations.
-jim