Writing Access Control Policies for LDAP
Access Control systems vary from one LDAP server to the next. All of them can implement simple policies, but it may be necessary to design the DIT around the access control requirements. In more complex cases it is essential to choose a server with a very flexible access control language. There are a number of pitfalls in ACL design, and some requirements cannot be implemented by many of the commonly used server products.
This paper suggests an approach to designing and testing access control rules. It includes worked examples to illustrate some common use-cases.
This paper was first presented at the UKUUG Spring Conference in March 2009.
It is available in PDF format:
You can download the examples and test suites mentioned in the paper.
The slides are available too:
See my complete list of papers for more on LDAP and other directory systems.