[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sets and ldap:// searches

To: Christian Kratzer <ck@cksoft.de>
Subject: Re: sets and ldap:// searches
From: Michael StrÃder <michael@stroeder.com>
Date: Sun, 15 Dec 2013 13:36:05 +0100
Cc: openldap-devel@openldap.org
In-reply-to: <alpine.BSF.2.00.1312142051150.59400@pohjola.cksoft.de>
References: <52AC3CDC.3030209@stroeder.com> <alpine.BSF.2.00.1312142051150.59400@pohjola.cksoft.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22

Christian Kratzer wrote:
> Hi Michael,
> 
> On Sat, 14 Dec 2013, Michael StrÃder wrote:
> 
>> HI!
>>
>> I used this FAQ entry to use set-based ACLs for my current task:
>>
>> http://www.openldap.org/faq/data/cache/1133.html
>>
>> There's written:
>>
>> "We could make this more powerful (and more complex and costly to compute)
>> by allowing base sets to be built from LDAP filters. This is something to
>> consider, because the combination of filters and sets (which have little
>> overlap in what they can express) is very powerful. This is partially provided
>> by the URI expansion capability."
>>
>> Was this ever implemented? It would be helpful. IMO using 'this' and/or 'user'
>> in [ldap://] sets would make evaluating the set-based <who> clause faster if
>> attributes used in LDAP URLs are properly indexed.
>>
>> Background:
>> My aim is to configure Linux clients all the same (search base, filter etc.)
>> but let each *machine* individually authenticate against OpenLDAP server.
>> Then only the users who are members of groups with login rights on this
>> particular server should be visible to the Linux client.
>> So the goal is to filter user/groups at the OpenLDAP server and *not* in the
>> Linux client (e.g. by sssd configuration or similar).
>> For now it seems only possible to do this with set-based ACLs given all the
>> requirements I have.
> 
> I needed to restrict users seen be a spefic application to users that are
> member in the respective applications group.
> 
> I cheated by not checking the group but the memberOf: attribute in the entries
> I intended to filter.
> 
>     olcAccess:
>       to dn.children="dc=example,dc=org"
> filter="(memberOf=cn=application1-group,ou=groups,dc=example,dc=org)"
>       by dn.base="cn=application1-user,ou=system,dc=example,dc=org" read
>     olcAccess:
>       to dn.children="dc=example,dc=org"
> filter="(memberOf=cn=application2-group,ou=groups,dc=example,dc=org)"
>       by dn.base="cn=application2-user,ou=system,dc=example,dc=org" read
>     olcAccess:
>       to dn.children="dc=example,dc=org"
> filter="(memberOf=cn=application3-group,ou=groups,dc=example,dc=org)"
>       by dn.base="cn=application3-user,ou=system,dc=example,dc=org" read
> 
> The performance implictations of these kind of acl should be ok from my
> understanding as they only apply to the specific applications user.

Thanks for sharing your ACLs.

But in my case it's a strong requirement that ACLs are generic and do not
contain any names. So you in your case one could add more applications just by
adding entries without having to touch any ACLs at all.

AFAICT something like this can only be done with set-based ACLs.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- sets and ldap:// searches
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: sets and ldap:// searches
Index(es):
- Chronological
- Thread