How is access control done?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks all for replying and suggestion.

--- Jeff Clowser <jclowser at unitedmessaging.com> wrote:

> As a forth example (and one similar to what you
> proposed), you can 
> sometimes combine aci's and application level access
> control to get 
> around some limitations in the service that is using
> ldap:
> Say we have a server that looks at ldap for user
> authentication.  If it 
> finds the user, it allows it in, and that's all it
> can handle.  However, 
> we want to limit users to certain machines, but the
> application doesn't 
> provide for this kind of limitation.
> We can extend a users entry - say we define
> objectclass appx, with one 
> multivalued attribute called appxhosts.
> In a users entry, we add objectclass appx, and
> populate appxhosts with 
> the list of hosts we want that user to access.
> We then create appropriate aci's for each server
> such that the server 
> can only see entries with appxhosts=hostname of the
> server looking up 
> users for authentication.
> If the server can't "see" the user in LDAP when it
> looks up their uid, 
> it can't authenticate them, and you effectively
> limit which servers a 
> given user can log into.
> 

Let's say, my apps have some specific needs for data,
which is not covered by existing standard schema. So,
I create extended schema. Let's say I have 3 apps
right now, and I can't forsee what future apps will
need in terms of schema definition.

And let's say I've been using the FDS for 2 years, and
have 20K users. Then I want to add new apps, which
require to extend schema again. Assuming that I don't
have to change any existing schema, do I have to
rebuild the whole ldap directory, or can I just add
the new schema, and tell the server that the new
attributes are now allowed in
inetOrgPerson/Person/posixAccount/etc?

The important thing is, I don't want to rebuild
anything, not to interrupt any service.

I see there are quite a few of Netscape schema, for
specific apps, such as Collabra Server, etc. How do I
add app-specific schema like that without rebuilding
the directory? Or do I have to rebuild it everytime a
new schema is added?

Please bear with me, I have no real life experience
with LDAP, just learning here, and throw in the
questions that I can't figure out from googling :)

Again, thanks for all.

sz



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux