speedy zinc wrote:
Hi all,
Sorry if the question is not FDS-specific. I'm a
university student and trying to learn how LDAP is
used in managing access control. I can setup FDS,
create basic schema (mostly user information), setup
postfix to use FDS as authentication server, set up
PAM on linux to use FDS as authentication server, etc.
But that's only limited to user authentication.
Everyone is talking about how LDAP can be used to
manage access, in fact, it is on every vendor's
features list. But I've never seen a real example of
how it is used. Maybe I'm dumb, but I just couldn't
imagine how it is set up and used.
You should download the FDS documentation, especially the admin
guide. There is a whole chapter (chapter 6) on the topic
of access control.
Let's take the following scenario.
I have a network of servers, running different
services and applications. Let's say, I called my
machines M1, M2, M3, and called the services S1, S2,
S3. All machines runs all 3 services. I have 3 groups
of users, G1, G2, G3.
Now, the question is, how can use LDAP to manage
access control of my users? Let's say, I want to let
users in G1 to access S1 and S2 on M1 only. And here
are the requirements:
G1 -> M1(S1, S2)
G2 -> M1(S3), M2(S1, S2, S3)
G3 -> M3(S1, S2, S3)
Maybe I'm not understanding the meaning of "access
control" correctly. But I just could not figure out
how to set up to achieve this goal.
What I want to know, besides the standard schema for
storing user information, how do I:
- define the schema for storing access control
information?
- tell the servers and services that specific user has
what access permissions?
- define extensible schema, so that if I add more
servers and applications to my network, I can add new
access control information without having to re-design
the schema? If I have to use any features that are
specific to FDS (ie. non-standard), so be it.
Gurus on this list, mind giving any hint on that? Or
if anyone could give a real life example, that would
great.
Again, read the chapter on access control in the admin guide.
I think your understanding of access control is not totally correct,
not when you refer to access control in LDAP. The concept of
access control refers to access to the information _in_ the
LDAP DIT.
In your case above, you first have to make sure how your machines
or applications are going to reject access request from
unauthorized users. And if you are going to use LDAP to
keep your "permissions" information, you need to make sure
that all your apps are LDAP-enabled.
You can have your apps act as a proxy to LDAP, then query user's
"permission" to operate your applications. Then the apps would
act accordingly.
Maybe someone here has better idea.
csp
--
Chen Shaopeng
http://www.idsignet.com