David Boreham wrote:
This is an interesting one, because applications like apache were the
target for roles/cos. Do you know what Apache does support for
detemining page access via LDAP ?
Roles should work for apache. Out of habit, I've used apache/auth_ldap
as follows, to limit users to a group (from an htaccess file):
AuthLDAPURL ldap://ldap1.airius.com:389/ou=People,
o=Airius?uid?sub?(objectClass=*)
require group cn=Administrators, o=Airius
In this case, if memory serves, this will look up the user by uid to get
their dn and auth them, then will check to see if their dn is in the
uniquemember attribute of the group to see if they can see whatever is
protected.
I think (have not tested this), I could use roles instead by doing:
AuthLDAPURL ldap://ldap1.airius.com:389/ou=People,
o=Airius?uid?sub?(nsRole=<dn of the role>)
require valid-user
Or something like that. So, instead of saying "auth the user and see if
they are in a group, and if so they are allowed", we are saying "auth
any users, but only if they match this filter, and if they do, they are
allowed". The roles method actually uses half the searches, so is more
efficient, admittedly :) But, apache (auth_ldap) is nice enough to
allow you to define the filters. Netscape Enterprise/Fastrack web
server only did groups one way - it looked at static members in the
uniquemember attribute. Part of why I always used Apache instead. (ok,
so admittedly that's a _really_ old example, and may not even apply to
whatever state that server is in at Sun these days... :) )
The problems I've run into is that I want to create a group that:
1. Represents some some subset of users (obviously)
2. Is dynamically generated (otherwise I'd use groupOfUniqueNames and
be done).
3. Can be used for multiple applications. For example:
a. As an auth group for apache .htaccess files
b. Can be used as an email list for messaging servers.
c. aci groups in ldap (for example, I want this group of people to
be able to edit certain fields in ldap).
d. defines a vpn template (I think checkpoint firewall 1 extends a
groupofuniquenames group to include vpn template attributes to determine
who can access what services).
(e. probably other things but can't think of 'em now :) )
Anyway, the point is that one group may be used by multiple things
and represent different functions that group of users can do across
different services (Example: members of the HR group can log into a web
page that allows you to change users contact info (apache auth), gets
email notices related to this web page (mail server list), and has
rights in LDAP to actually make these changes (LDAP acis). Further, I
only allow HR users access to the server this runs on via a VPN).
4. Is portable across ldap server implementations (otherwise, why use a
standard like LDAP?)
So I guess I see a group as doing 2 things, primarily: Allowing me to
determine all the members of the group (i.e. for things like email
lists), and to determine if someone is a member of a particular group
(i.e. I can do/access X if I'm part of group Y). The difference is
whether my searches return a list and I do something involving all the
members of it, or if I just want to return what lists I am a member of.
Speaking to portability across LDAP server implementations:
1. There is nothing "special" about groupOfURLs, since the client has
to read memberURL and process that to get the list (and hope it doesn't
run into resource limits). So, one caveat here is that the "dynamic"
group part is implemented on the client, so is really more of a schema
thing vs server coding (ignoring for the moment the server's use of it
in acis). It also has not really been widely adopted as a group
mechanism (only by Sun/Netscape/iPlanet/etc, as far as I know).
2. roles are "special", in that FDS can generate them. However, I
_can_ add the schema to most ldap implementations and statically
maintain the nsrole attribute (which is close enough to portable to me -
i.e. if I go from FDS to OpenLDAP for whatever reason, I loose the
ability to have this populated dynamically, but I can still manually
populate it and use it without changing all my applications). I suppose
a Role could be extended and used for email lists just as easily as
groupOfUrls is, now that I think about it, since the mail server would
have to do almost the exact same work to find members (and face the same
resource limits). But... I can't change servers like Netscape/Sun JES
messaging to support this. If I ported this to Openldap, the problem
would become cleaning up these statically created groups (even with
static roles, I can use referential integrity on FDS to clean 'em up),
but that's just a cron script :)
3. groupofUnique names is "standard" so is in there for every ldap
server I've seen (even AD), so is definately portable, but is not as
useful because it's not dynamic.
4. Admittedly, aci's should probably be out of scope for this idea -
since ldap access control is not portable, how you define a group to
support it being portable is probably not so important :)
I guess what it really comes down to is trying to find a way to
implement dynamic groups that is transparent to applications that don't
know how to use them. Maybe part of it is that I've been doing this for
so long (since Netscape dir server 1.0 and the original U of Mich
stuff), I have some old habits I need to unlearn :)
Sorry for rambling on for so long over so many messages about all this :-)
- Jeff
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
