views:

83

answers:

1

Hi,

I'm looking for the best way to provide authorization, authentication, and auditing to web services. I'll be using a web service gateway appliance deployed to the DMZ, and there will be an LDAP instance as a user store behind the firewall. How should it be built?

Cheers

KA

Update As pointed out in an answer below, LDAP isn't ideal for auditing. We're now looking at a call to our CRM system for this function as we can audit the usage by customer.

+4  A: 

Authentication is fairly standard. When trying to verify a username and password, first bind as a user with the privilege of seeing all users, and search for an entry with the provided username in the appropriate field (probably "uid"). Once you've found the entry, get its DN and try to bind as that entry using the supplied password.

Authorization is usually handled with either "dynamic groups", where you have a multi-valued attribute in each user object that says what privileges the user has, or using "static groups" where you have objects of a class resembling "groupOfNames" and stick the DNs of all members into the "member" attribute.

Do auditing however you like. LDAP is probably not the best way to save audit data. You could stick it in a database if you like, or just use syslog.

Glomek
Cool, great info. Thanks! How are subsequent calls handled? Through a token?
Kaiser Advisor
That's up to the programmer. You could go all the way back to LDAP every time (if you have sufficiently low volume/powerful LDAP servers), or you could cache results. You could cache within sessions, or you could have a global permission cache. What's best will depend on the rest of your app.
Glomek