We have a legacy system that uses a resource/action based authorization. Recently our company has decided to use a LDAP server as a repository for both Authentication and Authorization.
I haven't worked with LDAP servers before but as far as I have learned we can define our schema for different objects.So I have searched the Net for a simple example of implementation of a resource/action based authorization using LDAP and I haven't found anything (Everybody is talking about users,group and roles)
So two questions come to my mind :
LDAP for a resource-action based authorization
(Since I could not find a good example of how to do that)PS: Our application is written in C#. Are there any good open source LDAP client out there that we can use or we should go with .Net DirectoryServices ?
You can take a step back and look at the bigger access control / authorization use case. IF you want to do resource-action based authorization, you can roll out ABAC, the attribute-based access control model.
ABAC is an evolution of RBAC and identity-centric authorization. It was designed by NIST, the same organization that standardized RBAC.
With ABAC, your LDAP server becomes a source of attributes. An attribute is simply a key-value pair. The benefit if using ABAC in your case is that you do not need to extend or change your LDAP schema.
With ABAC, you achieve the following benefits:
You can express the following scenarios in ABAC:
XACML, the eXtensible Access Control Markup Language implements ABAC. You can read more on XACML and ABAC here:
You will need to deploy an interceptor (policy enforcement point) in front of the applications you want to protect.