2

I'm trying to add a custom attribute to my openldap structure, to store the role for each user for later handling of my spring web application users.

There are only 3 roles: admin, manager and viewer. Is it possible to add any rule for this?

And how to fix the below mentioned error?

# CUSTOM ATTRIBUTE
dn: cn=schema,cn=config
changeType: modify
add: attributeTypes
attributeTypes: (
  2.25.128424792425578037463837247958458780603.1
  NAME 'role'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
 )
-
add: objectClasses
objectClasses: (
  2.25.128424792425578037463837247958458780603.2
  NAME 'rolePerson'
  SUP person
  AUXILIARY
  MUST ( role )
 )

# USERS
dn: ou=people,dc=ubuntu,dc=local
objectClass: organizationalUnit
ou: people

dn: cn=demo_admin,ou=people,dc=ubuntu,dc=local
objectClass: rolePerson
userPassword: {MD5}fe01ce2a7fbac8fafaed7c982a04e229
uid: demo
cn: demo
sn: demo
role: admin

Output of ldapadd -x -W -D "cn=admin,dc=ubuntu,dc=local" -f roleuser.ldif:

modifying entry "cn=schema,cn=config"
ldap_modify: Invalid syntax (21)
    additional info: attributeTypes: value #0 invalid per syntax
Improve this question

2 Answers 2

Reset to default
1

This type of thing is better handled using groups. If you couple it with the referential integrity module and the module that maintains the membership data on the user object it will give you the same benefit in a more standard way.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

How about "separating the concerns"? The LDAP should be responsible of storing user information and supporting authentication , i.e. deciding if the user is indeed who s/he claims to be. Roles, however, differ from application to application, because they authorize known users to perform various activities.

It is probably a better idea to let each application manage their own set of roles and map the authenticated users to roles and activities/permissions according to the app's needs.

Set up this way your LDAP can be used for several apps. If you want to store role information in the LDAP, you would need another LDAP if you write a new app. Or your LDAP will get quite complex in time.

Defining groups in an LDAP is of course useful if you can expect a collection of users playing the same role in a set of applications. Then your apps can link their roles to user groups, not just to individual users. But the principle remains the same.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.