David Boreham wrote: > >> In the case of the VPN Template (and I only worked on this briefly a >> couple years back), I believe the checkpoint stuff worked like this: >> >> 1. They created a new vpntemplate schema extension of >> groupofuniquenames >> 2. This extended group had attributes to limit times, hosts, and a >> bunch of other things they could access when connected to the VPN. >> 3. When a user logged into the VPN, it would auth the user, then >> search for something like >> (&(objectclass=vpntemplate)(uniquemember=<authedusersdn>)). >> 4. If that returned a group, these other attributes in the returned >> vpn group define what access the user has. > > > Interesting. This was what role-based-cos was designed for. > Would that have worked for this application ? > (user's role drives cos, which returns a set of attribute values > on the user's entry from cos). I think it would be feasible in that role-based cos could provide the equivalent end result, (if the vendor changed their product to know how to look at roles?). Assuming a closed source COTS application, hardcoded to the above filter (looking at uniquemember for membership), is there a way to make roles based-cos match on that search? I understand that changing apps to support roles should be easy, but unless you _can_ change the app, that doesn't help much, unfortunately. How wide spread has adoption of Roles been (or does it need to be)? Maybe with the introduction of FDS into the open source world, that will change soon. An example entry would be something like the following (making up the attributes and stuff, but the form is close enough as an example): objectclass: top objectclass: groupofuniquenames objectclass: vpntemplate accesstime: 0900-1800 accesshosts: host1.example.com accesshosts: host2.example.com uniquemember: uid=jdoe,ou=people,o=example.com cn: Engineering VPN ... From what I remember, that vpn server searched for the users dn in uniquemember to find a template entry, and the above is what it is expecting to find. How would I set up Roles and CoS entries that would work without changing the app (is that possible)? Can I set up Roles/CoS that would populate the uniquemember attribute of the vpntemplate entry? Is that searchable (if I remember correctly, early versions of CoS didn't allow you to search on cos populated attributes, later versions might have, and I'm not sure where in that line FDS is). My job has tended to be more one of deploying existing software and finding a way to make it all work together, rather than being the developer writing the software (though I do do some coding), so I don't necessarily have the option of changing the app to use a new form. Some apps are _really_ bad (depend on specific tree structures, etc - my "favorite" are those that are "ldap integrated", meaning "the first time you log in, it reads your info and copies it to a relational db and uses that from there on..."), and businesses don't always allow you to select apps based on how well they properly integrate against ldap :-( Admittedly, I have not played with Roles too much - never _thought_ they really fit anything I was doing, but maybe it's time to take another look at them (esp if I can resolve the above with them :) ). - Jeff
