[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Permission management with LDAP



Am Tue, 1 Sep 2015 06:21:34 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:

> Hi again,
> 
> I did not get what I want to get.
> With the memberof overlay I get a structure like expected:
> User
> 	-memberOfGroup
> groupOfPermission
> 	- member
> 	- permission
> Permission
> 	-memberOfGroup
> 
> With every update of groupOfPermission the links to the User and
> Permission class are generated. So far so good
> 
> If I want to check if a user have some Permission, I still have to
> collect the memberOfGroup attributes from the Permission class. Then
> I am able to search for the corresponding link between user and
> permission: like
> (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work
> BUT it require two interactions with the server. This is a all-time
> problem, Is there a better solution with some magic LDAP overlay.
> 
> PS. We want a mapping of permission to User, this way a fine granular
> mapping of permissions to Groups to User is possible. At every time.

you may test sets
http://www.openldap.org/faq/data/cache/1133.html

If you do have some spare time in November, you may attend LDAP
Conference 2015 at Edinburgh
http://ldapcon.org/2015/
Shawn McKinney's paper on Security Access Control Engine is quite
promising, and Michael Stroeder's paper on a users management system
may give you some insights to your tasks.

-Dieter

> 
> -----Ursprüngliche Nachricht-----
> Von: openldap-technical
> [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von
> Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter
> Klünter Cc: openldap-technical@openldap.org
> Betreff: AW: Permission management with LDAP
> 
> Hi,
> 
> I've tried your  idea. It worked well with groupOfNames.
> Then I've tried to implement the memberof overlay for a user specific
> objectClass: Dn: olcOverlay={1}
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: olcMemberOf
> olcOverlay: memberof
> olcMemberOfDangling: ignore
> olcMemberOfRefInt: TRUE
> olcMemberOfGroupOC: GroupOfPermissions
> olcMemberOfMemberAD: permissionMember
> olcMemberOfMemberOfAD: member
> 
> While adding the ldif, a "unable to find group objectClass="
> GroupOfPermissions "" The objectClass is available on the server and
> is a self created objectclass. Do I have to include some paths to
> announce the objectClass?
> 
> Greetings John
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Dieter Klünter [mailto:dieter@dkluenter.de]
> Gesendet: Freitag, 28. August 2015 09:36
> An: Fischer, Johannes
> Cc: openldap-technical@openldap.org
> Betreff: Re: Permission management with LDAP
> 
> Am Fri, 28 Aug 2015 06:06:06 +0000
> schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:
> 
> > Hi again,
> > 
> > I didn’t want to do a thread high jacking so here a second mail
> > with a complete other question
> > 
> > If I’have a structure like:
> > User
> > 
> > -          Role
> > Role
> > 
> > -          User
> > 
> > -          Permission
> > Permission
> > 
> > -          Role
> > 
> > Now I want to get the authorization for some permission, So I have
> > the information which user and which Permission. Now I need to
> > match the list. The way it already work: Get all Roles for a
> > Permission Search in the user for the Role If found Authorization 
> > Else no Therefore I need at least two requests to the LDAP server
> 
> For this sort of tasks I use slapo-memberof(5) and a proper filter. 
> Something like (&(uid=$1)(memberOf=myGroup))
> 
> -Dieter
> 
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E