[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?

To: openldap-technical@openldap.org
Subject: Re: role based authorization -> dynacl module?
From: Shawn McKinney <smckinney@symas.com>
Date: Tue, 24 Apr 2018 09:28:10 -0500
In-reply-to: <feb332f1-c05d-ba57-3d3b-63887434d6f9@univention.de>
References: <feb332f1-c05d-ba57-3d3b-63887434d6f9@univention.de>

> On Apr 20, 2018, at 6:45 AM, Daniel Tröder <troeder@univention.de> wrote:
> 
> I am in the process of implementing a role concept via ACLs and hope for
> a hint so that I don't invent the wheel a second time.
> 

I applaud your decision to not reinvent the wheel but have doubts about using ACL’s to accomplish (more later)

> 
> On Apr 20, 2018, at 6:45 AM, Daniel Tröder <troeder@univention.de> wrote:
> 
> Specifically, it is about identity management for schools. A user
> (object) can have several roles in multiple schools. Permissions on
> other LDAP objects can thus differ depending on the role(s) the user and
> the object have in the same school(s).
> 

Classic RBAC scenario for sure.  Nice job using a standards-based approach btw.

> 
> On Apr 20, 2018, at 6:45 AM, Daniel Tröder <troeder@univention.de> wrote:
> 
> For example, a user could have been assigned the following roles that
> are scattered over several schools:
> → "Teacher" in school 1
> → "School admin" in school 2
> → "Parent" in school 3
> → both "Teacher" and "Staff" in school 4
> 
> ACLs should now be defined accordingly, e.g.
> → the role "teacher" at school X can reset the password for the role
> "student" at school X
> → the role "teacher" at school X *cannot* reset the password for the
> role "student" of school Y
> → the role "school administrator" at school X can reset the password for
> the roles "student" and "teacher" at school X
> → ...

Why use ACL’s for fine-grained authZ?  

It’s drawbacks, 
- Not standard / LDAPv3 server lock-in (might not be a problem for you)  
- difficult to maintain and test (complex)

To determine if necessary another question - how are your applications interacting with the directory.  Are they connecting using LDAPv3 operations (like search and bind), or is there are higher level abstraction in place, (like mod_authnz_ldap)?

> 
> On Apr 20, 2018, at 6:45 AM, Daniel Tröder <troeder@univention.de> wrote:
> 
> So far I have not seen any way to map such a construct via groups or
> sets without including a separate ACL for each group, which is a
> performance issue.
> Is there another way to map the role concept besides implementing an own
> dynacl module?

There are many ways to achieve RBAC using LDAP.  Typically these other methods will use a library that gets imbedded into your application to use for the security checks. That way the directory ACL’s remain simple, and the bits corresponding to the policy live inside of objects that are stored within it, not in metadata for its config.  

Disclaimer, I’m a PMC here:
http://directory.apache.org/fortress/

— Shawn

Follow-Ups:
- Re: role based authorization -> dynacl module?
  - From: Michael Ströder <michael@stroeder.com>
- Re: role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>

References:
- role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>

Prev by Date: Re: exempt some users from OpenLDAP password policy
Next by Date: Re: role based authorization -> dynacl module?
Index(es):
- Chronological
- Thread