Search code examples
web-applicationshttpsldaprbac

LDAP: Web Apps and RBAC

The way I understand one of the way LDAP works is that, and correct me if I am wrong, a user can sign into it from his computer and access a bunch of web applications provided he has the permission to do so and the credentials match.

I am creating a web application and I want to configure it with LDAP. So, I should, based on my client, make use of the LDAP API and ensure that he has the required permission to do so. Then

  • does LDAP also provide me with WHO it is that is logging into my web app. In this case, I can communicate with my RBAC and figure out what permissions he has.
  • Also, does LDAP communicate his username and password to my web app in plain text format?
  • How is it that my web app can ensure he is who he claims to be (cross check his username and password). HTTPS helps in case of plaintext password communication but is it really that secure?
Solution

  • You are mixing up several things.

    • Authentication is different from authorization
      • Authentication is about proving something about someone, typically proving someone's identity. I am Bob because I know my username and password.
      • Authorization is about determining what level of access you will grant Bob. There are different authorization (access control) paradigms. RBAC and ABAC are two of the most prevalent ones. RBAC uses roles, groups, and permissions to determine whether a user should get access. ABAC uses attributes and policies.
    • LDAP is not an authentication mechanism neither is it an authorization mechanism. LDAP is a user directory. It contains information about users typically their username, full name, email, password, group memberships, role information, etc... There are standardized LDAP objects e.g. inetOrgPerson.

    Applications (any type of applications) use different authentication techniques. In the Java web world, there is something called JAAS.

    The Java Authentication and Authorization Service (JAAS) is a set of application program interfaces (APIs) that can determine the identity of a user or computer attempting to run Java code, and ensure that the entity has the privilege or permission to execute the functions requested... (Wikipedia)

    In .NET, you have a framework called WCF which has a dedicated section on security.

    With that in mind, let's get back to your question. If you have a Java web-app and you use LDAP as a user directory, then you will most likely be achieving the integration between your app and LDAP via JAAS.

    Will LDAP send your app the password? NOOOOOOOO never, that would a terrible idea. Hopefully, by the way, your LDAP does not store the password in the clear. Typically passwords would be one-way encrypted (hashed) i.e. it is impossible to retrieve the value of the password from the encrypted value.

    So, what can LDAP (via JAAS) tell you?

    • whether the username/password combination is valid
    • what roles the user has
    • what groups the user has
    • and optionally more. Once you know the user's ID (or in LDAP lingo the DN), you can query LDAP for more attributes.

    One last thing. Usually authentication (and authorization) are not directly handled by the application but rather by the application's container. If you write a Java web-app, odds are that you will run it inside Apache Tomcat. Tomcat comes with JAAS and has native integration with Tomcat's internal user store as well as others (e.g. LDAP again or a database).

    So your first question should be: what language am I writing the app in? How will I run it? Do I get anything for free?

    Here is an old Oracle tutorial on securing Java web-apps.