Sets are for access control only and used internally at the server!
And sets are very fast in my experience on indexed attributes!
Am 2015-09-03 08:38, schrieb Fischer, Johannes:
I have some trouble to realize a search, based on the set.
Just to get in touch with the syntax I've tried to return all member DNs listed in cn=admin with no result:
(& (cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com/member) (objectClass=*) )
When I try to add the "[]" a bad char error appear:
(& ([cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com]/member) (objectClass=*) )
Yesterday I've had the right search request, but then the phone rang and after 20minutes on the phone I couldn’t remember the search request.
Thank you for your help
John
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter Klünter Gesendet: Dienstag, 1. September 2015 09:30 An: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Tue, 1 Sep 2015 06:21:34 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I did not get what I want to get. With the memberof overlay I get a structure like expected: User -memberOfGroup groupOfPermission
- member
- permission
Permission -memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission: like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
you may test sets http://www.openldap.org/faq/data/cache/1133.html
If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks.
-Dieter
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter Klünter Cc: openldap-technical@openldap.org Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E