Hello,
My boss wants to run everything from a server.
But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people.
Can I do this with openldap or if it cannot be done , which software can I then use the best.
I work on Ubuntu Server 16.04 LTS.
Regards,
Roelof
Am Tue, 23 May 2017 17:16:22 +0000 schrieb Roelof Wobben rwobben@hotmail.com:
Hello,
My boss wants to run everything from a server.
But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people.
Can I do this with openldap or if it cannot be done , which software can I then use the best.
In fact that depends on the software in question. If the software, or some controlling tool, is able to require authentication and authorization via ldap, you may go ahead.
-Dieter
2017-05-26 11:18 GMT+02:00 Dieter Klünter dieter@dkluenter.de:
Am Tue, 23 May 2017 17:16:22 +0000 schrieb Roelof Wobben rwobben@hotmail.com:
Hello,
My boss wants to run everything from a server.
But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people.
Can I do this with openldap or if it cannot be done , which software can I then use the best.
In fact that depends on the software in question. If the software, or some controlling tool, is able to require authentication and authorization via ldap, you may go ahead.
Indeed. A lot of applications are able to use LDAP directory for authentication, but less are able to use it for authorization. Authorization often rely on groups present in the LDAP directory.
If you have an application that is able to use an LDAP filter for authentication, then you can use the memberOf overlay in OpenLDAP and use the memberOf value in LDAP filter to restrict access to this group.
Now, if you have some time to investigate, you should take a look to WebSSO and Access Management softwares. A lot are Free Softwares and works great with OpenLDAP.
Personally I am a developer of LemonLDAP::NG, so I could do nothing else than recommend this software. But there are a lot more, like Gluu, WSO2, CAS, Shibboleth, simpleSAMLphp... You need to try them to find the one that fits your needs.
Clément.
??? What arew you all talking about?
Just give all executables a 770 permission and create a group per software/software class. Then, add all allowed users to said groups (this is the part LDAP _can_ help). Rhat's all ...
Cheers, Ralf Mattes
P.S.: what happened to the good ol' unix culture? ;-)
Thanks all. I use now Ubuntu 17.04 for the client and Ubuntu 16.06 LTS for the server.
So as I understand LDAP can only be used for authentication and for autortication I have to look for other software.
Roelof
________________________________ Van: openldap-technical openldap-technical-bounces@openldap.org namens Michael Ströder michael@stroeder.com Verzonden: vrijdag 26 mei 2017 10:57 Aan: Ralf Mattes; openldap-technical@openldap.org Onderwerp: Re: Can I do this with openldap ?
Ralf Mattes wrote:
P.S.: what happened to the good ol' unix culture? ;-)
I agree that it's a shame that file ownership and permissions are often simply overlooked.
But note that the original poster did not say anything at all about his OS environment.
Ciao, Michael.
Some of these applications may make use of licence managers such as FlexLM. FlexLM (or whatever it's called this week) has some rudimentary authorisation controls built in but no integration with LDAP. I've done some work to add that in our environment but it amounts to not much more than a cron job that keeps the LM's authorisation controls in sync with our service management process in LDAP.
openldap-technical@openldap.org
-
Clément OUDOT -
Dieter Klünter -
Gretton, Liam -
Michael Ströder -
Ralf Mattes -
Roelof Wobben