David Boreham wrote:
In the case of the VPN Template (and I only worked on this briefly a
couple years back), I believe the checkpoint stuff worked like this:
1. They created a new vpntemplate schema extension of
groupofuniquenames
2. This extended group had attributes to limit times, hosts, and a
bunch of other things they could access when connected to the VPN.
3. When a user logged into the VPN, it would auth the user, then
search for something like
(&(objectclass=vpntemplate)(uniquemember=<authedusersdn>)).
4. If that returned a group, these other attributes in the returned
vpn group define what access the user has.
Interesting. This was what role-based-cos was designed for.
Would that have worked for this application ?
(user's role drives cos, which returns a set of attribute values
on the user's entry from cos).
I think it would be feasible in that role-based cos could provide the
equivalent end result, (if the vendor changed their product to know how
to look at roles?). Assuming a closed source COTS application,
hardcoded to the above filter (looking at uniquemember for membership),
is there a way to make roles based-cos match on that search? I
understand that changing apps to support roles should be easy, but
unless you _can_ change the app, that doesn't help much, unfortunately.
How wide spread has adoption of Roles been (or does it need to be)?
Maybe with the introduction of FDS into the open source world, that will
change soon.
An example entry would be something like the following (making up the
attributes and stuff, but the form is close enough as an example):
objectclass: top
objectclass: groupofuniquenames
objectclass: vpntemplate
accesstime: 0900-1800
accesshosts: host1.example.com
accesshosts: host2.example.com
uniquemember: uid=jdoe,ou=people,o=example.com
cn: Engineering VPN
...
From what I remember, that vpn server searched for the users dn in
uniquemember to find a template entry, and the above is what it is
expecting to find. How would I set up Roles and CoS entries that would
work without changing the app (is that possible)? Can I set up
Roles/CoS that would populate the uniquemember attribute of the
vpntemplate entry? Is that searchable (if I remember correctly, early
versions of CoS didn't allow you to search on cos populated attributes,
later versions might have, and I'm not sure where in that line FDS is).
My job has tended to be more one of deploying existing software and
finding a way to make it all work together, rather than being the
developer writing the software (though I do do some coding), so I don't
necessarily have the option of changing the app to use a new form. Some
apps are _really_ bad (depend on specific tree structures, etc - my
"favorite" are those that are "ldap integrated", meaning "the first time
you log in, it reads your info and copies it to a relational db and uses
that from there on..."), and businesses don't always allow you to select
apps based on how well they properly integrate against ldap :-(
Admittedly, I have not played with Roles too much - never _thought_ they
really fit anything I was doing, but maybe it's time to take another
look at them (esp if I can resolve the above with them :) ).
- Jeff
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
