[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: Permission management with LDAP
- To: Dieter Klünter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: AW: Permission management with LDAP
- From: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>
- Date: Tue, 1 Sep 2015 06:21:34 +0000
- Accept-language: en-US
- Content-language: de-DE
- In-reply-to: <EA7399765D4E5A44848CEFE00AE00BAC92DE69@IPA-EX-MBX2.ipa.stuttgart>
- References: <EA7399765D4E5A44848CEFE00AE00BAC92DCEF@IPA-EX-MBX2.ipa.stuttgart> <20150828093604.60a7e18e@pink.avci.de> <EA7399765D4E5A44848CEFE00AE00BAC92DE69@IPA-EX-MBX2.ipa.stuttgart>
- Thread-index: AdDhVemhZj15ZGJ4QneJsybtCegb+P//+wkA//+TGVD/+UIREA==
- Thread-topic: Permission management with LDAP
Hi again,
I did not get what I want to get.
With the memberof overlay I get a structure like expected:
User
-memberOfGroup
groupOfPermission
- member
- permission
Permission
-memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission:
like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup))))
This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
Greetings John
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
-----Ursprüngliche Nachricht-----
Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes
Gesendet: Freitag, 28. August 2015 14:17
An: Dieter Klünter
Cc: openldap-technical@openldap.org
Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames.
Then I've tried to implement the memberof overlay for a user specific objectClass:
Dn: olcOverlay={1}
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: GroupOfPermissions
olcMemberOfMemberAD: permissionMember
olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions ""
The objectClass is available on the server and is a self created objectclass.
Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht-----
Von: Dieter Klünter [mailto:dieter@dkluenter.de]
Gesendet: Freitag, 28. August 2015 09:36
An: Fischer, Johannes
Cc: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:
> Hi again,
>
> I didn’t want to do a thread high jacking so here a second mail with a
> complete other question
>
> If I’have a structure like:
> User
>
> - Role
> Role
>
> - User
>
> - Permission
> Permission
>
> - Role
>
> Now I want to get the authorization for some permission, So I have the
> information which user and which Permission. Now I need to match the
> list. The way it already work: Get all Roles for a Permission
> Search in the user for the Role If found Authorization
> Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter.
Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E