Hi guys,
I'm new at this list and with OpenLDAP.
I intend to set up an OpenLDAP server. I know I can register my users and they respective passwords.
Well, one thing is authentication, permission another.
Suppose I have users A, B, C and D, and services MAIL and PROXY.
My question is: How to give permission to A user to MAIL only, B user to MAIL and PROXY and D user to PROXY only, since my users/password base is unique ?
Thanks to all..
Linux Corporativo writes:
My question is: How to give permission to A user to MAIL only, B user to MAIL and PROXY and D user to PROXY only, since my users/password base is unique ?
First the service needs to authenticate the user: Normally Bind as the user - maybe with Kerberos if you use that, otherwise with DN and password which you ask the user first. Or ask for username instead of DN, and construct or search for the DN with that username before Binding.
Then, to authorize users for the services:
For each service, maintain a group whose membes can use the service. The service can use the LDAP Compare operation to check if the group contains the user as a member. Typically object class groupOfNames with the users' DNs listed in the 'member' attribute.
If that scales poorly (you'd get 10000 members per group which each Compare must walk through), maybe you can denote access to the service in the user objects instead: In each user object, include an attribute which lists which services the user can use. Or the groups which denote these services, or whatever. Then the service checks if the user's object names the service or group which gives access to the service.
In this case, access controls must prevent users from modifying these attributes in their own entries, and create new user entries (with password and membership attribute). Otherwise they can grant themselves access to a service.
openldap-software@openldap.org
-
Hallvard B Furuseth -
Linux Corporativo