[Fedora-directory-users] Ideas for fds

Sun Jun 12 14:28:45 UTC 2005

David Boreham wrote:

> Instead, the idea I had was to require that the application instead 
> simply
> read attribute(s) on the user's entry, and do what it needs to do 
> based on
> their values. For example the VPN app would read an attribute called
> 'allowVPNAccess', and if it had the value 'true', then it would allow 
> the user
> access.

Roles are great if I'm looking for a yes or no answer - i.e. do I have 
role x or not?  Sometimes that's not enough.  To give a couple examples...

In the case of the VPN Template (and I only worked on this briefly a 
couple years back), I believe the checkpoint stuff worked like this:

1.  They created a new vpntemplate schema extension of groupofuniquenames
2.  This extended group had attributes to limit times, hosts, and a 
bunch of other things they could access when connected to the VPN.
3.  When a user logged into the VPN, it would auth the user, then search 
for  something like 
(&(objectclass=vpntemplate)(uniquemember=<authedusersdn>)).
4.  If that returned a group, these other attributes in the returned vpn 
group define what access the user has.

I wrote a web admin tool that we use for our customers here that uses a 
similar concept:
1.  I created an extention of groupofuniquenames to create an "admin" group.
2.  This admin group has attributes to contain:
    - a "template" (a reference to a php file that does something like 
user admin, group admin, etc).
    - settings for the template (i.e. email domain to use, quota 
options, etc.)
3.  Different users may be members of different templates for user admin 
(say, full user admin template,
     password admin template, etc), and settings allow me to reuse 
templates for different customers
     (same template, but different search bases for users, different 
quota options, different dns domains
     for email, etc)
3.  When a user logs in, it searches for 
(&(objectclass=admingroup)(uniquemember=<usersdn>))
     to see which admin capabilities the user has, and how those 
capabilities are applied.
4.  For each admin group I find, I read the template, settings, etc. and 
present a list of tabs - each
    admin group translates to a tab, and the extra attributes in the 
extended admin group tells it
    the name of the tab, what code to use in that tab, and config info 
to drive how that tab works.

There's more to it than that, but that's the basics.

If I used roles here instead, I could probably extend the role the way I 
extended groupofuniquenames.  Then, when I auth the user, I'd see the 
roles the user is a member of, and run through that list to see which 
are admin groups and get those settings there.  FWIW, this was more a 
case of showing how I'm using groups than why I need a better dynamic 
group - creating dynamic admin groups is probably not the best thing to 
do :).

 - Jeff