[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: Permission management with LDAP

To: Dieter Klünter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: AW: Permission management with LDAP
From: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>
Date: Thu, 3 Sep 2015 06:38:24 +0000
Accept-language: en-US
Content-language: de-DE
In-reply-to: <20150901092930.6fa38ade@pink.avci.de>
References: <EA7399765D4E5A44848CEFE00AE00BAC92DCEF@IPA-EX-MBX2.ipa.stuttgart> <20150828093604.60a7e18e@pink.avci.de> <EA7399765D4E5A44848CEFE00AE00BAC92DE69@IPA-EX-MBX2.ipa.stuttgart> <EA7399765D4E5A44848CEFE00AE00BAC92E1AA@IPA-EX-MBX2.ipa.stuttgart> <20150901092930.6fa38ade@pink.avci.de>
Thread-index: AdDhVemhZj15ZGJ4QneJsybtCegb+P//+wkA//+TGVD/+UIREIANclMA//zJ1yA=
Thread-topic: Permission management with LDAP

I have some trouble to realize a search, based on the  set.

Just to get in touch with the syntax I've tried to return all member DNs listed in cn=admin with no result:

(&
    (cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com/member)
    (objectClass=*)
)

When I try to add the "[]" a bad char error appear:

(&
    ([cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com]/member)
    (objectClass=*)
)

Yesterday I've had the right search request, but then the phone rang and after 20minutes on the phone I couldn’t remember the search request.

Thank you for your help

John


-----Ursprüngliche Nachricht-----
Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter Klünter
Gesendet: Dienstag, 1. September 2015 09:30
An: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Tue, 1 Sep 2015 06:21:34 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:

> Hi again,
> 
> I did not get what I want to get.
> With the memberof overlay I get a structure like expected:
> User
> 	-memberOfGroup
> groupOfPermission
> 	- member
> 	- permission
> Permission
> 	-memberOfGroup
> 
> With every update of groupOfPermission the links to the User and 
> Permission class are generated. So far so good
> 
> If I want to check if a user have some Permission, I still have to 
> collect the memberOfGroup attributes from the Permission class. Then I 
> am able to search for the corresponding link between user and
> permission: like
> (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT 
> it require two interactions with the server. This is a all-time 
> problem, Is there a better solution with some magic LDAP overlay.
> 
> PS. We want a mapping of permission to User, this way a fine granular 
> mapping of permissions to Groups to User is possible. At every time.

you may test sets
http://www.openldap.org/faq/data/cache/1133.html

If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks.

-Dieter

> 
> -----Ursprüngliche Nachricht-----
> Von: openldap-technical
> [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von 
> Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter 
> Klünter Cc: openldap-technical@openldap.org
> Betreff: AW: Permission management with LDAP
> 
> Hi,
> 
> I've tried your  idea. It worked well with groupOfNames.
> Then I've tried to implement the memberof overlay for a user specific
> objectClass: Dn: olcOverlay={1}
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: olcMemberOf
> olcOverlay: memberof
> olcMemberOfDangling: ignore
> olcMemberOfRefInt: TRUE
> olcMemberOfGroupOC: GroupOfPermissions
> olcMemberOfMemberAD: permissionMember
> olcMemberOfMemberOfAD: member
> 
> While adding the ldif, a "unable to find group objectClass="
> GroupOfPermissions "" The objectClass is available on the server and 
> is a self created objectclass. Do I have to include some paths to 
> announce the objectClass?
> 
> Greetings John
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Dieter Klünter [mailto:dieter@dkluenter.de]
> Gesendet: Freitag, 28. August 2015 09:36
> An: Fischer, Johannes
> Cc: openldap-technical@openldap.org
> Betreff: Re: Permission management with LDAP
> 
> Am Fri, 28 Aug 2015 06:06:06 +0000
> schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:
> 
> > Hi again,
> > 
> > I didn’t want to do a thread high jacking so here a second mail with 
> > a complete other question
> > 
> > If I’have a structure like:
> > User
> > 
> > -          Role
> > Role
> > 
> > -          User
> > 
> > -          Permission
> > Permission
> > 
> > -          Role
> > 
> > Now I want to get the authorization for some permission, So I have 
> > the information which user and which Permission. Now I need to match 
> > the list. The way it already work: Get all Roles for a Permission 
> > Search in the user for the Role If found Authorization Else no 
> > Therefore I need at least two requests to the LDAP server
> 
> For this sort of tasks I use slapo-memberof(5) and a proper filter. 
> Something like (&(uid=$1)(memberOf=myGroup))
> 
> -Dieter
> 
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E



--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: AW: Permission management with LDAP
  - From: Uwe Werler <uwe.werler@retiolum.eu>

References:
- AW: Permission management with LDAP
  - From: "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>
- Re: Permission management with LDAP
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: AW: Send Success with first found entry
Next by Date: Re: AW: Permission management with LDAP
Index(es):
- Chronological
- Thread