<tfoot id='asDz7'></tfoot>

  • <small id='asDz7'></small><noframes id='asDz7'>

        <i id='asDz7'><tr id='asDz7'><dt id='asDz7'><q id='asDz7'><span id='asDz7'><b id='asDz7'><form id='asDz7'><ins id='asDz7'></ins><ul id='asDz7'></ul><sub id='asDz7'></sub></form><legend id='asDz7'></legend><bdo id='asDz7'><pre id='asDz7'><center id='asDz7'></center></pre></bdo></b><th id='asDz7'></th></span></q></dt></tr></i><div id='asDz7'><tfoot id='asDz7'></tfoot><dl id='asDz7'><fieldset id='asDz7'></fieldset></dl></div>
        <legend id='asDz7'><style id='asDz7'><dir id='asDz7'><q id='asDz7'></q></dir></style></legend>
        • <bdo id='asDz7'></bdo><ul id='asDz7'></ul>

        LDAP 中基于角色的安全实施

        时间:2024-05-10
          <tbody id='x9VI3'></tbody>
      1. <small id='x9VI3'></small><noframes id='x9VI3'>

          • <i id='x9VI3'><tr id='x9VI3'><dt id='x9VI3'><q id='x9VI3'><span id='x9VI3'><b id='x9VI3'><form id='x9VI3'><ins id='x9VI3'></ins><ul id='x9VI3'></ul><sub id='x9VI3'></sub></form><legend id='x9VI3'></legend><bdo id='x9VI3'><pre id='x9VI3'><center id='x9VI3'></center></pre></bdo></b><th id='x9VI3'></th></span></q></dt></tr></i><div id='x9VI3'><tfoot id='x9VI3'></tfoot><dl id='x9VI3'><fieldset id='x9VI3'></fieldset></dl></div>
            • <bdo id='x9VI3'></bdo><ul id='x9VI3'></ul>

                <legend id='x9VI3'><style id='x9VI3'><dir id='x9VI3'><q id='x9VI3'></q></dir></style></legend>

              1. <tfoot id='x9VI3'></tfoot>
                  本文介绍了LDAP 中基于角色的安全实施的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  我正在研究 LDAP 和 Java 中基于角色的安全实施.具体来说,我需要在 LDAP 中表示以下对象:

                  I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:

                  • 用户
                  • 企业用户组 - 人力资源、财务等.
                  • 权限 - DOCUMENT_READ、DOCUMENT_MODIFY 等
                  • 角色 - ADMIN、GUEST 等

                  角色基本上是权限组,可以分配给一个用户或一组用户.

                  Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.

                  我正在考虑在 LDAP 中将它们表示如下:

                  I was thinking of representing them in LDAP as folows:

                  • Users - 具有 userPassword 属性的 Person 和 uidObject 类.
                  • 用户组 - 组织单元类,用户在该类下位于.
                  • 角色 - groupOfNames 对象类.
                  • 权限 - 不确定这个,也许还有 groupOfNames类.

                  这个想法是让用户或组快速访问该用户或组拥有的角色列表.我知道我可以将用户和组放在角色的成员"属性中,但是我必须扫描所有角色以查找列出了该用户的角色.有没有办法在 Person 对象中拥有类似member"属性的东西?

                  The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?

                  一般来说,有谁知道 LDAP 中基于角色的良好安全实施?我找不到关于这个主题的好的文档或教程.我目前使用 ApacheDS 作为 LDAP 服务器,但我愿意接受建议.

                  Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.

                  推荐答案

                  用户:inetOrgPerson

                  Users: inetOrgPerson

                  集合:organizationalUnit,但要小心尝试在 LDAP 目录中复制您的组织结构:这通常是一个错误,因为组织发生变化并且用户在组织中移动.您应该考虑使用 ou 属性.

                  Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.

                  角色:组织角色.我使用角色组作为 groupOfUniqueNames,但这是一个错误,我应该继续使用 organizationsRole,以便角色只是递归的.

                  Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.

                  权限:这只是一个角色,或者一个角色的属性.如果您使用 CMA,它们是在 web.xml 中定义的,而不是 LDAP.

                  Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.

                  正如我所说,不要试图让您的 LDAP 树镜像您的组织.使其反映它自己的组织.我在必要时使用多值属性.我将organizationUnit 主要用于LDAP 本身内的层,或者我违反了上述规则的地方;-)

                  As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)

                  OpenLDAP 有一个参照完整性覆盖层,可以为您提供很多信息.

                  OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.

                  在 Matt Butcher 的 Mastering OpenLDAP 中有一些关于 LDAP 结构的非常好的提示,在 Howes 的 Understanding and Deploying LDAP Directory Services 中有更高层次的视图等.

                  There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.

                  这篇关于LDAP 中基于角色的安全实施的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  上一篇:为什么 Nginx 以相反的顺序提供客户端 SSL DN? 下一篇:如何使用 JNDI 和 Digest-MD5 对 LDAP 进行身份验证

                  相关文章

                  <i id='HUJTh'><tr id='HUJTh'><dt id='HUJTh'><q id='HUJTh'><span id='HUJTh'><b id='HUJTh'><form id='HUJTh'><ins id='HUJTh'></ins><ul id='HUJTh'></ul><sub id='HUJTh'></sub></form><legend id='HUJTh'></legend><bdo id='HUJTh'><pre id='HUJTh'><center id='HUJTh'></center></pre></bdo></b><th id='HUJTh'></th></span></q></dt></tr></i><div id='HUJTh'><tfoot id='HUJTh'></tfoot><dl id='HUJTh'><fieldset id='HUJTh'></fieldset></dl></div>

                      <legend id='HUJTh'><style id='HUJTh'><dir id='HUJTh'><q id='HUJTh'></q></dir></style></legend>
                      • <bdo id='HUJTh'></bdo><ul id='HUJTh'></ul>
                      <tfoot id='HUJTh'></tfoot>

                      <small id='HUJTh'></small><noframes id='HUJTh'>