I'm a newbie with LDAP but kind of getting thrown in. We're using OpenLDAP. Trying to wrap my head around the best practices for designing my directory(s).
We have 4 or 5 apps that we want to use LDAP with. Each of these apps we've been maintaining security inside the apps for years, now we want to migrate. Most have User and Group security, and this is where I'm stuck on how to design the LDAP to fit:
- should we have 1 LDAP generic fit for all apps, or is it better to setup separate LDAPs for each app? (there are different admins maintaining security for each app)...or is it best to have multiple branches? It seem to me with the varying requirements by each app that a seperate LDAP for each would make sense, and in order to provide easy access to the LDAPs for lower level admins to maintain, a seperate server would be easiest...(?) Perhaps with the admin thing I'm missing something with just having the right client tool to allow access to some areas (branches) but not all (???).
Basically I'm trying to decide Multiple LDAPS, or One. One Branch, or Many...
- how to setup the Groups? Our LDAP will containt Employees, some have access to some apps, and others do not. How to best setup this access? I am struggling also with Groups. Inside our apps we have security groups to control access...I'm not sure if LDAP should be used to control Groups or if this is best left to the App. If in LDAP, how (sample LDIF?) do we add a Group then add users?
First of a few questions I think...and I appreciate any advice...
Kevin
We have 4 or 5 apps that we want to use LDAP with. Each of these apps we've been maintaining security inside the apps for years, now we want to migrate. Most have User and Group security, and this is where I'm stuck on how to design the LDAP to fit:
- should we have 1 LDAP generic fit for all apps, or is it better to setup separate LDAPs for each app? (there are different admins maintaining security for each app)...or is it best to have multiple branches? It seem to me with the varying requirements by each app that a seperate LDAP for each would make sense, and in order to provide easy access to the LDAPs for lower level admins to maintain, a seperate server would be easiest...(?) Perhaps with the admin thing I'm missing something with just having the right client tool to allow access to some areas (branches) but not all (???).
Basically I'm trying to decide Multiple LDAPS, or One. One Branch, or Many...
- how to setup the Groups? Our LDAP will containt Employees, some have access to some apps, and others do not. How to best setup this access? I am struggling also with Groups. Inside our apps we have security groups to control access...I'm not sure if LDAP should be used to control Groups or if this is best left to the App. If in LDAP, how (sample LDIF?) do we add a Group then add users?
First of a few questions I think...and I appreciate any advice...
Kevin