[Fedora-directory-users] How is access control done?

Chen Shaopeng chen_shaopeng at idsignet.com
Tue Oct 18 08:31:00 UTC 2005 

speedy zinc wrote:
> Hi all,
> 
> Sorry if the question is not FDS-specific. I'm a
> university student and trying to learn how LDAP is
> used in managing access control. I can setup FDS,
> create basic schema (mostly user information), setup
> postfix to use FDS as authentication server, set up
> PAM on linux to use FDS as authentication server, etc.
> But that's only limited to user authentication.
> 
> Everyone is talking about how LDAP can be used to
> manage access, in fact, it is on every vendor's
> features list. But I've never seen a real example of
> how it is used. Maybe I'm dumb, but I just couldn't
> imagine how it is set up and used.
>

You should download the FDS documentation, especially the admin
guide. There is a whole chapter (chapter 6) on the topic
of access control.

> Let's take the following scenario.
> 
> I have a network of servers, running different
> services and applications. Let's say, I called my
> machines M1, M2, M3, and called the services S1, S2,
> S3. All machines runs all 3 services. I have 3 groups
> of users, G1, G2, G3.
> 
> Now, the question is, how can use LDAP to manage
> access control of my users? Let's say, I want to let
> users in G1 to access S1 and S2 on M1 only. And here
> are the requirements:
> 
> G1 -> M1(S1, S2)
> G2 -> M1(S3), M2(S1, S2, S3)
> G3 -> M3(S1, S2, S3)
> 
> Maybe I'm not understanding the meaning of "access
> control" correctly. But I just could not figure out
> how to set up to achieve this goal.
> 
> What I want to know, besides the standard schema for
> storing user information, how do I:
> 
> - define the schema for storing access control
> information?
> - tell the servers and services that specific user has
> what access permissions?
> - define extensible schema, so that if I add more
> servers and applications to my network, I can add new
> access control information without having to re-design
> the schema? If I have to use any features that are
> specific to FDS (ie. non-standard), so be it.
> 
> Gurus on this list, mind giving any hint on that? Or
> if anyone could give a real life example, that would
> great. 
> 

Again, read the chapter on access control in the admin guide.

I think your understanding of access control is not totally correct,
not when you refer to access control in LDAP. The concept of
access control refers to access to the information _in_ the
LDAP DIT.

In your case above, you first have to make sure how your machines
or applications are going to reject access request from
unauthorized users. And if you are going to use LDAP to
keep your "permissions" information, you need to make sure
that all your apps are LDAP-enabled.

You can have your apps act as a proxy to LDAP, then query user's
"permission" to operate your applications. Then the apps would
act accordingly.

Maybe someone here has better idea.

csp
-- 
Chen Shaopeng
http://www.idsignet.com

More information about the Fedora-directory-users mailing list