[Date Prev][Date Next] [Chronological] [Thread] [Top]

Role-based whatever in OpenLDAP

Using: openldap 2.1.29, bdb backend 4.2.52, i386

It's time to play with roles :-) It is said "role is a kind of group with
associated permissions". That's quite clear for me.
Now, how do I play with it? I could probably create some roles,
basing on schema and role-related objectclasses, then associate roles with
one or more users. But what I'd like to use roles for is allowing
or denying users in my ou=People access to services "described" with

E.g. I'd like to define a role, which allows user being member of,
accessing sshd or apache. This may be number of port e.g., or (better:-),
allowing to access particular application. E.g. I created on my
system some simple app ("rhttpd") which uses some kind of
"system" function (without input, whatever). Let this application
be SUID'ed, and let's say function executes "/etc/init.d/apache restart"
command. The code (probably not needed, however..) would look like:

        main () {
                system("/etc/init.d/apache restart");

Now I'd like system to check whether particular logged user is allowed
to execute /usr/bin/rhttpd. I could of course manipulate chmod and unix
groups permissions (stored e.g. in LDAP), but my question is, whether
I understand roles properly, and if this is what roles should be used
And, of course, I my direction of thinking is appropriate - what should I
read to move on with this? At least with tcp/udp port access? (There's
probably some way of keeping hosts.allow/hosts.deny in LDAP anyway, but
it's not the point - what about these roles and what should I do
to play with it? :)