[Fedora-directory-users] How is access control done?

Tue Oct 18 13:46:44 UTC 2005

Chen Shaopeng wrote:

>speedy zinc wrote:
>  
>
>>Hi all,
>>
>>Sorry if the question is not FDS-specific. I'm a
>>university student and trying to learn how LDAP is
>>used in managing access control. I can setup FDS,
>>create basic schema (mostly user information), setup
>>postfix to use FDS as authentication server, set up
>>PAM on linux to use FDS as authentication server, etc.
>>But that's only limited to user authentication.
>>
>>Everyone is talking about how LDAP can be used to
>>manage access, in fact, it is on every vendor's
>>features list. But I've never seen a real example of
>>how it is used. Maybe I'm dumb, but I just couldn't
>>imagine how it is set up and used.
>>
>>    
>>
>
>You should download the FDS documentation, especially the admin
>guide. There is a whole chapter (chapter 6) on the topic
>of access control.
>
>  
>
>>Let's take the following scenario.
>>
>>I have a network of servers, running different
>>services and applications. Let's say, I called my
>>machines M1, M2, M3, and called the services S1, S2,
>>S3. All machines runs all 3 services. I have 3 groups
>>of users, G1, G2, G3.
>>
>>Now, the question is, how can use LDAP to manage
>>access control of my users? Let's say, I want to let
>>users in G1 to access S1 and S2 on M1 only. And here
>>are the requirements:
>>
>>G1 -> M1(S1, S2)
>>G2 -> M1(S3), M2(S1, S2, S3)
>>G3 -> M3(S1, S2, S3)
>>
>>Maybe I'm not understanding the meaning of "access
>>control" correctly. But I just could not figure out
>>how to set up to achieve this goal.
>>
>>What I want to know, besides the standard schema for
>>storing user information, how do I:
>>
>>- define the schema for storing access control
>>information?
>>- tell the servers and services that specific user has
>>what access permissions?
>>- define extensible schema, so that if I add more
>>servers and applications to my network, I can add new
>>access control information without having to re-design
>>the schema? If I have to use any features that are
>>specific to FDS (ie. non-standard), so be it.
>>
>>Gurus on this list, mind giving any hint on that? Or
>>if anyone could give a real life example, that would
>>great. 
>>
>>    
>>
>
>Again, read the chapter on access control in the admin guide.
>
>I think your understanding of access control is not totally correct,
>not when you refer to access control in LDAP. The concept of
>access control refers to access to the information _in_ the
>LDAP DIT.
>  
>
Right.  So the trick is modeling the objects and services _external_ to 
the DIT with entries _inside_ the DIT.  This requires not only schema in 
the LDAP server but also application support.  For example, many 
different types of users are already modeled (e.g. inetOrgPerson, 
posixUser, etc.) as well as groups and other NIS information.  The PAM 
modules must know about this LDAP schema information in order to use it 
e.g. for host based access control, PAM and NSS must know that the 
"host" attribute in the user's entry holds a list of hostnames which 
that user is allowed access to.

>In your case above, you first have to make sure how your machines
>or applications are going to reject access request from
>unauthorized users. And if you are going to use LDAP to
>keep your "permissions" information, you need to make sure
>that all your apps are LDAP-enabled.
>
>You can have your apps act as a proxy to LDAP, then query user's
>"permission" to operate your applications. Then the apps would
>act accordingly.
>
>Maybe someone here has better idea.
>
>csp
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051018/b68bcebd/attachment.bin>