[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: Permission management with LDAP

To: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>
Subject: Re: AW: Permission management with LDAP
From: Uwe Werler <uwe.werler@retiolum.eu>
Date: Thu, 03 Sep 2015 08:56:25 +0200
Cc: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
In-reply-to: <EA7399765D4E5A44848CEFE00AE00BAC92E68C@IPA-EX-MBX2.ipa.stuttgart>
Organization: Retiolum
References: <EA7399765D4E5A44848CEFE00AE00BAC92DCEF@IPA-EX-MBX2.ipa.stuttgart> <20150828093604.60a7e18e@pink.avci.de> <EA7399765D4E5A44848CEFE00AE00BAC92DE69@IPA-EX-MBX2.ipa.stuttgart> <EA7399765D4E5A44848CEFE00AE00BAC92E1AA@IPA-EX-MBX2.ipa.stuttgart> <20150901092930.6fa38ade@pink.avci.de> <EA7399765D4E5A44848CEFE00AE00BAC92E68C@IPA-EX-MBX2.ipa.stuttgart>
User-agent: Roundcube Webmail/1.1.2

Sets are for access control only and used internally at the server!

And sets are very fast in my experience on indexed attributes!

Am 2015-09-03 08:38, schrieb Fischer, Johannes:

I have some trouble to realize a search, based on the  set.

Just to get in touch with the syntax I've tried to return all member
DNs listed in cn=admin with no result:

(&
    (cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com/member)
    (objectClass=*)
)

When I try to add the "[]" a bad char error appear:

(&
    ([cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com]/member)
    (objectClass=*)
)

Yesterday I've had the right search request, but then the phone rang
and after 20minutes on the phone I couldn’t remember the search
request.

Thank you for your help

John


-----Ursprüngliche Nachricht-----
Von: openldap-technical
[mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter
Klünter
Gesendet: Dienstag, 1. September 2015 09:30
An: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Tue, 1 Sep 2015 06:21:34 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:

Hi again,

I did not get what I want to get.
With the memberof overlay I get a structure like expected:
User
	-memberOfGroup
groupOfPermission
	- member
	- permission
Permission
	-memberOfGroup

With every update of groupOfPermission the links to the User and
Permission class are generated. So far so good

If I want to check if a user have some Permission, I still have to
collect the memberOfGroup attributes from the Permission class. Then I
am able to search for the corresponding link between user and
permission: like
(&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT
it require two interactions with the server. This is a all-time
problem, Is there a better solution with some magic LDAP overlay.

PS. We want a mapping of permission to User, this way a fine granular
mapping of permissions to Groups to User is possible. At every time.


you may test sets
http://www.openldap.org/faq/data/cache/1133.html

If you do have some spare time in November, you may attend LDAP
Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's
paper on Security Access Control Engine is quite promising, and
Michael Stroeder's paper on a users management system may give you
some insights to your tasks.

-Dieter


-----Ursprüngliche Nachricht-----
Von: openldap-technical
[mailto:openldap-technical-bounces@openldap.org] Im Auftrag von
Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter
Klünter Cc: openldap-technical@openldap.org
Betreff: AW: Permission management with LDAP

Hi,

I've tried your  idea. It worked well with groupOfNames.
Then I've tried to implement the memberof overlay for a user specific
objectClass: Dn: olcOverlay={1}
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: GroupOfPermissions
olcMemberOfMemberAD: permissionMember
olcMemberOfMemberOfAD: member

While adding the ldif, a "unable to find group objectClass="
GroupOfPermissions "" The objectClass is available on the server and
is a self created objectclass. Do I have to include some paths to
announce the objectClass?

Greetings John


-----Ursprüngliche Nachricht-----
Von: Dieter Klünter [mailto:dieter@dkluenter.de]
Gesendet: Freitag, 28. August 2015 09:36
An: Fischer, Johannes
Cc: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Fri, 28 Aug 2015 06:06:06 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:

> Hi again,
>
> I didn’t want to do a thread high jacking so here a second mail with
> a complete other question
>
> If I’have a structure like:
> User
>
> -          Role
> Role
>
> -          User
>
> -          Permission
> Permission
>
> -          Role
>
> Now I want to get the authorization for some permission, So I have
> the information which user and which Permission. Now I need to match
> the list. The way it already work: Get all Roles for a Permission
> Search in the user for the Role If found Authorization Else no
> Therefore I need at least two requests to the LDAP server

For this sort of tasks I use slapo-memberof(5) and a proper filter.
Something like (&(uid=$1)(memberOf=myGroup))

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E




--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- AW: Permission management with LDAP
  - From: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>
- Re: Permission management with LDAP
  - From: Dieter Klünter <dieter@dkluenter.de>
- AW: Permission management with LDAP
  - From: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>

Prev by Date: AW: Permission management with LDAP
Next by Date: Re: Alias dereferencing and performance
Index(es):
- Chronological
- Thread