[Fedora-directory-users] Ideas for fds

jclowser at unitedmessaging.com jclowser at unitedmessaging.com
Sat Jun 11 19:43:40 UTC 2005 

David Boreham wrote:

> This is an interesting one, because applications like apache were the
> target for roles/cos. Do you know what Apache does support for
> detemining page access via LDAP ?

Roles should work for apache.  Out of habit, I've used apache/auth_ldap 
as follows, to limit users to a group (from an htaccess file):

    AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, 
o=Airius?uid?sub?(objectClass=*)
    require group cn=Administrators, o=Airius

In this case, if memory serves, this will look up the user by uid to get 
their dn and auth them, then will check to see if their dn is in the 
uniquemember attribute of the group to see if they can see whatever is 
protected.

I think (have not tested this), I could use roles instead by doing:

    AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, 
o=Airius?uid?sub?(nsRole=<dn of the role>)
    require valid-user

Or something like that.  So, instead of saying "auth the user and see if 
they are in a group, and if so they are allowed", we are saying "auth 
any users, but only if they match this filter, and if they do, they are 
allowed".  The roles method actually uses half the searches, so is more 
efficient, admittedly :)  But, apache (auth_ldap) is nice enough to 
allow you to define the filters.  Netscape Enterprise/Fastrack web 
server only did groups one way - it looked at static members in the 
uniquemember attribute.  Part of why I always used Apache instead.  (ok, 
so admittedly that's a _really_ old example, and may not even apply to 
whatever state that server is in at Sun these days... :)  )

The problems I've run into is that I want to create a group that:
1.  Represents some some subset of users (obviously)
2.  Is dynamically generated (otherwise I'd use groupOfUniqueNames and 
be done).
3.  Can be used for multiple applications.  For example:
    a.  As an auth group for apache .htaccess files
    b.  Can be used as an email list for messaging servers.
    c.  aci groups in ldap (for example, I want this group of people to 
be able to edit certain fields in ldap).
    d.  defines a vpn template (I think checkpoint firewall 1 extends a 
groupofuniquenames group to include vpn template attributes to determine 
who can access what services).
    (e.  probably other things but can't think of 'em now :)  )
    Anyway, the point is that one group may be used by multiple things 
and represent different functions that group of users can do across 
different services (Example:  members of the HR group can log into a web 
page that allows you to change users contact info (apache auth), gets 
email notices related to this web page (mail server list), and has 
rights in LDAP to actually make these changes (LDAP acis).  Further, I 
only allow HR users access to the server this runs on via a VPN).
4.  Is portable across ldap server implementations (otherwise, why use a 
standard like LDAP?)

So I guess I see a group as doing 2 things, primarily:  Allowing me to 
determine all the members of the group (i.e. for things like email 
lists), and to determine if someone is a member of a particular group 
(i.e. I can do/access X if I'm part of group Y).  The difference is 
whether my searches return a list and I do something involving all the 
members of it, or if I just want to return what lists I am a member of.

Speaking to portability across LDAP server implementations:
1.  There is nothing "special" about groupOfURLs, since the client has 
to read memberURL and process that to get the list (and hope it doesn't 
run into resource limits).  So, one caveat here is that the "dynamic" 
group part is implemented on the client, so is really more of a schema 
thing vs server coding (ignoring for the moment the server's use of it 
in acis).  It also has not really been widely adopted as a group 
mechanism (only by Sun/Netscape/iPlanet/etc, as far as I know).

2.  roles are "special", in that FDS can generate them.  However, I 
_can_ add the schema to most ldap implementations and statically 
maintain the nsrole attribute (which is close enough to portable to me - 
i.e. if I go from FDS to OpenLDAP for whatever reason, I loose the 
ability to have this populated dynamically, but I can still manually 
populate it and use it without changing all my applications).  I suppose 
a Role could be extended and used for email lists just as easily as 
groupOfUrls is, now that I think about it, since the mail server would 
have to do almost the exact same work to find members (and face the same 
resource limits).  But... I can't change servers like Netscape/Sun JES 
messaging to support this.  If I ported this to Openldap, the problem 
would become cleaning up these statically created groups (even with 
static roles, I can use referential integrity on FDS to clean 'em up), 
but that's just a cron script :)

3.  groupofUnique names is "standard" so is in there for every ldap 
server I've seen (even AD), so is definately portable, but is not as 
useful because it's not dynamic.

4.  Admittedly, aci's should probably be out of scope for this idea - 
since ldap access control is not portable, how you define a group to 
support it being portable is probably not so important :)

I guess what it really comes down to is trying to find a way to 
implement dynamic groups that is transparent to applications that don't 
know how to use them.  Maybe part of it is that I've been doing this for 
so long (since Netscape dir server 1.0 and the original U of Mich 
stuff), I have some old habits I need to unlearn :) 

Sorry for rambling on for so long over so many messages about all this :-)

- Jeff

More information about the Fedora-directory-users mailing list