Re: [Fedora-directory-users] Ideas for fds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Boreham wrote:
From what I remember, that vpn server searched for the users dn in uniquemember to find a template entry, and the above is what it is expecting to find. How would I set up Roles and CoS entries that would work without changing the app (is that possible)? Can I set up Roles/CoS that would populate the uniquemember attribute of the vpntemplate entry? Is that searchable (if I remember correctly, early versions of CoS didn't allow you to search on cos populated attributes, later versions might have, and I'm not sure where in that line FDS is).
Yeah, I don't know about this. I was more interested in the semantics of the checkpoint application behavior, which I think are easily implemented with role-based cos (the end result is that the user entry has the necessary vpn cruft on it directly, with no need to indirect to the template entry at the client end).
If an existing application can be made to simply fetch its per-user parameters 
from attributes on the user's entry , then roles/cos will work fine.
The problem lies in what happens if the user is part of multiple templates. For example, one template may say I can access host 1 and 2 from 9am to 5pm, and another template may say I can access host 3 (no time specification, so any time), etc. If I use roles to merge all the values from all these templates into the users entry, I may get something like host 1, 2, and 3 are allowed only from 9am-5pm, depending on how the templates are organized/defined by the vendor, which is different from what I had intended. FWIW, as I remember it, the checkpoint product did allow these in the users entry, and I think it broke if a user was actually part of more than one template, but I was trying to speak generically vs a particular product :). 


Just to be clear: I don't expect (nor require) that there are any
applications that 'support' roles. All the applications need to do
is to support regular ldap attributes on the user entries.
Sorry - bad wording on my part. When I say "support roles", that includes the case where I can read the info from the users entry as you specified. I think it just comes down to being creating in the use of roles, and in some cases, nothing will help. 

- Jeff

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux