Hi
We are using many applications like zabbix, phabricator, AC etc. We need to integrate LDAP in all these applications. These application support LDAP but not group based authentication.
Please let us know is there any option to restrict selected users to login. We created all users under ou ‘users’ .
[image: Inline image 1]
On these application we need to login certain users only. How we can restrict it as we can’t able to restrict on application side
In these application they provide only “Base DN” and “Search Attribute” so we can’t able to give dn: ou=users,ou=system as it gives access to all users.
So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and this group contains only user1 and user2. SO it will restrict users.
Please let us know how we can implement this scenario. Thanks in advance please help us to solve this issue.
Thanks Geo
Please let me know is it possible to implement this idea?. Also please let me know your thoughts.
Thanks Geo
*Thanks & Regards Geo P.C. www.geopc.co.cc*
On Mon, May 6, 2013 at 3:51 PM, Geo P.C. pcgeopc@gmail.com wrote:
Hi
We are using many applications like zabbix, phabricator, AC etc. We need to integrate LDAP in all these applications. These application support LDAP but not group based authentication.
Please let us know is there any option to restrict selected users to login. We created all users under ou ‘users’ .
[image: Inline image 1]
On these application we need to login certain users only. How we can restrict it as we can’t able to restrict on application side
In these application they provide only “Base DN” and “Search Attribute” so we can’t able to give dn: ou=users,ou=system as it gives access to all users.
So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and this group contains only user1 and user2. SO it will restrict users.
Please let us know how we can implement this scenario. Thanks in advance please help us to solve this issue.
Thanks Geo
--On Tuesday, May 07, 2013 11:11 AM +0530 "Geo P.C." pcgeopc@gmail.com wrote:
Please let me know is it possible to implement this idea?. Also please let me know your thoughts.
It is trivial as long as your application has an application specific bind dn. If it does, then you can restrict this via ACLs on the server side. For example:
access to dn.base="ou=users,dc=example,dc=com" filter="(myServiceAttr=zabbix)" attrs=uid,<other attrs> by dn.exact="cn=zabbix,cn=applications,dc=example,dc=com" read by * break
Each user entry would need to have "myServiceAttr" values that listed the service(s) they had access to (such as zabbix).
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
1.) If you had a config parameter like search filter in your application you could use that to make unwanted users invisible for the application. But this means you can't use group entries , but dynamic groups, i.e. a group is an ldapfilter, e.g. "(allowedServices=Wordpress)" and you manage group privileges in an own attribute allowedServices.
2.) You could also do this via ACLs in the server, each application using its own bind dn, which can then have read access to a subset of the data. Here you can use a.) group entries or b.) dynamic groups
3.) Of course you could also have a separate replica for each application with filtered entries, but only with dynamic groups (see 1.), but that is a lot of overhead. Beware: combining this with 2. i.e. group ACLs on replica bindDN is a rathole, don't do that!
4.) IMHO best would be to file a feature request to the application developers for supporting LDAP-groups
if not 4.) my recommendation would be 2a.) being the minimal invasive alternative.
Hope this helps,
Peter
Am 06.05.2013 12:21, schrieb Geo P.C.:
Hi
We are using many applications like zabbix, phabricator, AC etc. We need to integrate LDAP in all these applications. These application support LDAP but not group based authentication.
Please let us know is there any option to restrict selected users to login. We created all users under ou ‘users’ .
Inline image 1
On these application we need to login certain users only. How we can restrict it as we can’t able to restrict on application side
In these application they provide only “Base DN” and “Search Attribute” so we can’t able to give dn: ou=users,ou=system as it gives access to all users.
So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and this group contains only user1 and user2. SO it will restrict users.
Please let us know how we can implement this scenario. Thanks in advance please help us to solve this issue.
Thanks Geo
After a second look, I must say that solution 2a is not doable. Complex ACL definitions with groups or sets can only be done on the <who> part of an ACL and not on the <what> part which would have been needed for 2a.) sorry.
Thus you can only go with dynamic groups and an attribute like allowedServices used in a filter (solution 1., 2b. or 3.)
my 2 cent, may be someone else has another solution?
Cheers,
Peter
Am 07.05.2013 14:21, schrieb Peter Gietz:
1.) If you had a config parameter like search filter in your application you could use that to make unwanted users invisible for the application. But this means you can't use group entries , but dynamic groups, i.e. a group is an ldapfilter, e.g. "(allowedServices=Wordpress)" and you manage group privileges in an own attribute allowedServices.
2.) You could also do this via ACLs in the server, each application using its own bind dn, which can then have read access to a subset of the data. Here you can use a.) group entries or b.) dynamic groups
3.) Of course you could also have a separate replica for each application with filtered entries, but only with dynamic groups (see 1.), but that is a lot of overhead. Beware: combining this with 2. i.e. group ACLs on replica bindDN is a rathole, don't do that!
4.) IMHO best would be to file a feature request to the application developers for supporting LDAP-groups
if not 4.) my recommendation would be 2a.) being the minimal invasive alternative.
Hope this helps,
Peter
Am 06.05.2013 12:21, schrieb Geo P.C.:
Hi
We are using many applications like zabbix, phabricator, AC etc. We need to integrate LDAP in all these applications. These application support LDAP but not group based authentication.
Please let us know is there any option to restrict selected users to login. We created all users under ou ‘users’ .
Inline image 1
On these application we need to login certain users only. How we can restrict it as we can’t able to restrict on application side
In these application they provide only “Base DN” and “Search Attribute” so we can’t able to give dn: ou=users,ou=system as it gives access to all users.
So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and this group contains only user1 and user2. SO it will restrict users.
Please let us know how we can implement this scenario. Thanks in advance please help us to solve this issue.
Thanks Geo
--
Peter Gietz, CEO
DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany
phone: +49 7071 407109-0 fax: +49 7071 407109-9 email: peter.gietz@daasi.de web: www.daasi.de
Sitz der Gesellschaft: Tübingen Registergericht: Amtsgericht Stuttgart, HRB 382175 Geschäftsleitung: Peter Gietz
openldap-technical@openldap.org
-
Geo P.C. -
Peter Gietz -
Quanah Gibson-Mount