Ideas for fds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Boreham wrote:

>
>> From what I remember, that vpn server searched for the users dn in 
>> uniquemember to find a template entry, and the above is what it is 
>> expecting to find.  How would I set up Roles and CoS entries that 
>> would work without changing the app (is that possible)?  Can I set up 
>> Roles/CoS that would populate the uniquemember attribute of the 
>> vpntemplate entry?  Is that searchable (if I remember correctly, 
>> early versions of CoS didn't allow you to search on cos populated 
>> attributes, later versions might have, and I'm not sure where in that 
>> line FDS is).
>
> Yeah, I don't know about this. I was more interested in the semantics 
> of the
> checkpoint application behavior, which I think are easily implemented 
> with
> role-based cos (the end result is that the user entry has the 
> necessary vpn
> cruft on it directly, with no need to indirect to the template entry 
> at the client end).
>
> If an existing application can be made to simply fetch its per-user 
> parameters
> from attributes on the user's entry , then roles/cos will work fine.

The problem lies in what happens if the user is part of multiple 
templates.  For example, one template may say I can access host 1 and 2 
from 9am to 5pm, and another template may say I can access host 3 (no 
time specification, so any time), etc.  If I use roles to merge all the 
values from all these templates into the users entry, I may get 
something like host 1, 2, and 3 are allowed only from 9am-5pm, depending 
on how the templates are organized/defined by the vendor, which is 
different from what I had intended.  FWIW, as I remember it, the 
checkpoint product did allow these in the users entry, and I think it 
broke if a user was actually part of more than one template, but I was 
trying to speak generically vs a particular product :).

> Just to be clear: I don't expect (nor require) that there are any
> applications that 'support' roles. All the applications need to do
> is to support regular ldap attributes on the user entries.

Sorry - bad wording on my part.  When I say "support roles", that 
includes the case where I can read the info from the users entry as you 
specified.  I think it just comes down to being creating in the use of 
roles, and in some cases, nothing will help.

 - Jeff
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux