Hi!
I have a question: You can define roles for authentication this way: Multiple DNs can be members of a group/rolem, and you can use group names when assigning ACLs. To authenticate, a user will use his DN and own password.
Now when a DN is member of multiple roles/groups, authenticating as member assignes all the rights each group/role has.
The idea of a role however is that a user "changes hats", depending on the task he is doing.
I wonder: Is it possibe to authenticate with a group/role's DN and the user's (a memeber) password?
Or is there some other mechanism to accieve what I want?
Regards, Ulrich
Ulrich Windl wrote:
I have a question: You can define roles for authentication this way:
You probably are talking about authorization, not authentication.
Multiple DNs can be members of a group/rolem, and you can use group names when assigning ACLs. To authenticate, a user will use his DN and own password.
Now when a DN is member of multiple roles/groups, authenticating as member assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
The idea of a role however is that a user "changes hats", depending on the task he is doing.
I wonder: Is it possibe to authenticate with a group/role's DN and the user's (a memeber) password?
Or is there some other mechanism to accieve what I want?
You could allow a single authenticated user to define a certain authz identity. You should make yourself familiar with SASL authz-ID, proxy authz and authzTo/authzFrom attributes.
If you're still feeling hungry for more intellectual input you can dive into various RBAC approaches presented at LDAPcon 2011 and 2013.
But IMO there's not much point in doing so because if the user's credentials are intercepted the attacker can gain access to any role.
Ciao, Michael.
Michael Ströder michael@stroeder.com schrieb am 09.12.2014 um 15:47 in
Nachricht 54870B9E.2080306@stroeder.com:
Ulrich Windl wrote:
I have a question: You can define roles for authentication this way:
You probably are talking about authorization, not authentication.
OK!
Multiple DNs can be members of a group/rolem, and you can use group names
when assigning ACLs.
To authenticate, a user will use his DN and own password.
Now when a DN is member of multiple roles/groups, authenticating as member
assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
But you use the role name for <who>, right?
The idea of a role however is that a user "changes hats", depending on the
task he is doing.
I wonder: Is it possibe to authenticate with a group/role's DN and the
user's (a memeber) password?
Or is there some other mechanism to accieve what I want?
You could allow a single authenticated user to define a certain authz identity. You should make yourself familiar with SASL authz-ID, proxy authz and authzTo/authzFrom attributes.
If you're still feeling hungry for more intellectual input you can dive
into
various RBAC approaches presented at LDAPcon 2011 and 2013.
Any paper or URI for that?
But IMO there's not much point in doing so because if the user's
credentials
are intercepted the attacker can gain access to any role.
Correct.
Ciao, Michael.
Thank you for answering!
Regards, Ulrich
(Please get the citation correctly wrapped so I don't have to re-edit it.)
Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb:
Ulrich Windl wrote:
Multiple DNs can be members of a group/rolem, and you can use group names when assigning ACLs. To authenticate, a user will use his DN and own password. Now when a DN is member of multiple roles/groups, authenticating as member assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
But you use the role name for <who>, right?
In simple and most cases, yes.
But it does not mean that the roles are all effective at the *same* time. You can influence the control flow of the ACLs and stop before ACLs or skip ACLs.
If you're still feeling hungry for more intellectual input you can dive into various RBAC approaches presented at LDAPcon 2011 and 2013.
Any paper or URI for that?
https://www.google.de/search?q=ldapcon+rbac
But IMO there's not much point in doing so because if the user's credentials are intercepted the attacker can gain access to any role.
Correct.
At least the system should enforce that the user has to re-authenticate before changing the role. Using OTP mech this would be acceptable.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Ulrich Windl