Subject Re: User name SYSDBA
Author johnson_dave2003
> How would the authorization look in your case? Would admin be required
> to define permissions for each database object in LDAP (e.g.
> permission to select from some table)? Or would it go in the direction
> of role or group, where actual grants are stored in the database? If
> former, does this concept really belong to the LDAP? If latter - isn't
> it part of the PAM concept (sorry, I actually know only JAAS - there
> it is)?
> Roman

LDAP requires a backing store, which can be a relational database.

LDAP divorces knowledge of authorization from the database. "Grants"
and such are implemented in LDAP terms instead of SQL terms. The
application database does not know, in and of itself, what authority a
user has. It delegates that knowledge to the LDAP implementation.

If LDAP is selected as the installation's security platform of choice,
users have zero authority on any database object until requests are
authorized by the LDAP implementation. At the crudest level, this can
be implemented as a lookaside to the LDAP server on every action.
Needless to say, this would be painfully slow.

More realistically, authorities can be loaded and cached when
connections are made, and possibly refreshed at regular intervals. A
HashMap is a natural fit for caching authorities. On the surface, at
the interface/API level, both a lookaside to the server and a
lookaside to cached data would look the same. However, a cached
lookaside would absolutely be required for any serious security
framework. It would be fun to implement in Java, but I suspect it
would be a pain to implement in C.

Let me try again in pseudocode ... it's more clear this way.

class Authority extends Object;

class Authorizations implements Map <Authority>
private final Map contents <Authority>;

// standard Map methods wrapping the contents ...

// This ties the Authorizations to the backing store (LDAP or RDBMS)
public static forName (String _username)

load user's Authority instances from security database/LDAP
return newly created Authorizations map.

public static Object keyFor (Action _action, Row _row, int Column)
// compute a key for action, row, and column
// this may be optimized by using bit fields, making
// the "Map" that logically backs this a simple array

class UserSession extends Object
private final Authorizations authorizations;

UserSession (String _userName)
authorizations = Authorizations.forName (_userName);

public boolean lookasideForAuthority (Action _action, Row _row,
int Column)
return (authorizations.get(Authorizations.keyFor (_action,
_row, _column)) != null;