Greetings, I guess I will start off with a brief description of requirements. They are quite typical. A system should support a hierarchy of our customers. We have "companies", each company have "offices" and each office have "employees". Each employee have a set of permissions either assigned directly or through roles. Both companies and offices may also be assigned permissions either directly or through the roles. If a company has a certain permission then all offices for this company and subsequently employees would inherit this permission. In the same fashion, if an office has a certain permission assigned to it then all employees of that office would also inherit this permission.
After having read http://directory.apache.org/community%26resources/ldap-renaissance.html and http://support.novell.com/techcenter/articles/ana20011101.html I couldn't get rid of a feeling that LDAP is exactly what we need. At the same time we don't have any hard-core LDAP experience here and the project time lines cannot afford lots of time for R&D. Therefore I would like to ask if there any white paper or comprehensive examples on how to use LDAP as a basis for a commercial system and create a web application on top of it. I'm not talking about on how to use LDAP just to authenticate users for a web app deployed on Tomcat or something like this. I'm talking about a need for a web front-end where CSRs and "admins" would manage LDAP hierarchies (CRUD for company/office/person) and manage roles/permissions associated to those entities. It's relatively easy to build such web front-end on top of a database but what about LDAP server? Do we just give them LDAP client? Obviously the system we are building is not dedicated to managing roles and permissions but to selling "widgets". Roles and permissions are here just to make managing of "widgets" more granular. These "widgets" and everything that is associated with them are stored in DB. Then the next question is how to integrate info from LDAP and DB. In essence, I have a very limited experience with LDAP and while I understand its ideas and benefits (or I think that I do), I cannot see how to practically apply LDAP to our problem domain. This is not a question about ApacheDS in particular but an inquiry about relevant documentation. Thank you for your time, Yuriy
