Chen Shaopeng wrote:
Right. So the trick is modeling the objects and services _external_ to the DIT with entries _inside_ the DIT. This requires not only schema in the LDAP server but also application support. For example, many different types of users are already modeled (e.g. inetOrgPerson, posixUser, etc.) as well as groups and other NIS information. The PAM modules must know about this LDAP schema information in order to use it e.g. for host based access control, PAM and NSS must know that the "host" attribute in the user's entry holds a list of hostnames which that user is allowed access to.speedy zinc wrote:Hi all, Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication. Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used.You should download the FDS documentation, especially the admin guide. There is a whole chapter (chapter 6) on the topic of access control.Let's take the following scenario. I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3. Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements: G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3) Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal. What I want to know, besides the standard schema for storing user information, how do I: - define the schema for storing access control information? - tell the servers and services that specific user has what access permissions? - define extensible schema, so that if I add more servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it. Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that wouldgreat.Again, read the chapter on access control in the admin guide. I think your understanding of access control is not totally correct, not when you refer to access control in LDAP. The concept of access control refers to access to the information _in_ the LDAP DIT.
In your case above, you first have to make sure how your machines or applications are going to reject access request from unauthorized users. And if you are going to use LDAP to keep your "permissions" information, you need to make sure that all your apps are LDAP-enabled. You can have your apps act as a proxy to LDAP, then query user's "permission" to operate your applications. Then the apps would act accordingly. Maybe someone here has better idea. csp
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
