Hi all,
Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication.
Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used.
Let's take the following scenario.
I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3.
Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements:
G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3)
Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal.
What I want to know, besides the standard schema for storing user information, how do I:
- define the schema for storing access control information? - tell the servers and services that specific user has what access permissions? - define extensible schema, so that if I add more servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it.
Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that would great.
Thanks in advance
sz
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
speedy zinc wrote:
Hi all,
Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication.
Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used.
You should download the FDS documentation, especially the admin guide. There is a whole chapter (chapter 6) on the topic of access control.
Let's take the following scenario.
I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3.
Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements:
G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3)
Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal.
What I want to know, besides the standard schema for storing user information, how do I:
- define the schema for storing access control
information?
- tell the servers and services that specific user has
what access permissions?
- define extensible schema, so that if I add more
servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it.
Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that would great.
Again, read the chapter on access control in the admin guide.
I think your understanding of access control is not totally correct, not when you refer to access control in LDAP. The concept of access control refers to access to the information _in_ the LDAP DIT.
In your case above, you first have to make sure how your machines or applications are going to reject access request from unauthorized users. And if you are going to use LDAP to keep your "permissions" information, you need to make sure that all your apps are LDAP-enabled.
You can have your apps act as a proxy to LDAP, then query user's "permission" to operate your applications. Then the apps would act accordingly.
Maybe someone here has better idea.
csp
Chen Shaopeng wrote:
speedy zinc wrote:
Hi all,
Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication.
Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used.
You should download the FDS documentation, especially the admin guide. There is a whole chapter (chapter 6) on the topic of access control.
Let's take the following scenario.
I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3.
Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements:
G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3)
Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal.
What I want to know, besides the standard schema for storing user information, how do I:
- define the schema for storing access control
information?
- tell the servers and services that specific user has
what access permissions?
- define extensible schema, so that if I add more
servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it.
Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that would great.
Again, read the chapter on access control in the admin guide.
I think your understanding of access control is not totally correct, not when you refer to access control in LDAP. The concept of access control refers to access to the information _in_ the LDAP DIT.
Right. So the trick is modeling the objects and services _external_ to the DIT with entries _inside_ the DIT. This requires not only schema in the LDAP server but also application support. For example, many different types of users are already modeled (e.g. inetOrgPerson, posixUser, etc.) as well as groups and other NIS information. The PAM modules must know about this LDAP schema information in order to use it e.g. for host based access control, PAM and NSS must know that the "host" attribute in the user's entry holds a list of hostnames which that user is allowed access to.
In your case above, you first have to make sure how your machines or applications are going to reject access request from unauthorized users. And if you are going to use LDAP to keep your "permissions" information, you need to make sure that all your apps are LDAP-enabled.
You can have your apps act as a proxy to LDAP, then query user's "permission" to operate your applications. Then the apps would act accordingly.
Maybe someone here has better idea.
csp
You can look at this from 2 perspectives. One is LDAP access control, and the other is application level access control stored in LDAP.
Access control within LDAP is simply setting up ACI's that restrict access to LDAP data based on certain rules. Note that LDAP access control is implementation specific - there is no standard, and each server does it differently. Also, LDAP ACI's have certain limitations - you can limit who can write to an attribute, for example, but it's hard to limit _what_ they can write to an attribute they have write access to.
Application level access control is done by the application being able to see data in LDAP, and making decisions about what access to give based on that data.
An example of using LDAP ACI's for access control: - Define write access to a branch of your ldap tree based on an admin group in ldap. Only members of that group can write to that branch, so only those users can create entries in that branch.
An example of application level access control: - A VPN server looks to LDAP for users and groups. It authenticates a user against the user entry (say with a username/password or certificate in the users LDAP entry). It then looks at a template entry (which may be an extension of a groupofuniquenames group, for example) that defines privileges (such as what hosts a user can get to, what time of day they can access things via the VPN, etc). If the user is a member of that template/group, they have the access defined in that template.
What is used is heavily dependent on the application/service you are trying to tie to LDAP. It really comes down to what the application expects to be in LDAP and how it interprets it, and each application is likely to do something a little different. Some applications are more flexible about what you can configure it to look at, while others require you to install specific schema extensions and populate entries with data around that.
As a third example, consider an application that uses both aci's and app level access control: - an admin tool that allows you to manage users. You can define LDAP aci's on a branch of your ldap tree that contains users. The acis limit write access to that branch based on an admin group in ldap. - The application only offers the user admin page if you are a member of this group. Furthermore, it only allows you to create _users_ in that branch - no groups, etc. These are application level restrictions.
As a forth example (and one similar to what you proposed), you can sometimes combine aci's and application level access control to get around some limitations in the service that is using ldap: Say we have a server that looks at ldap for user authentication. If it finds the user, it allows it in, and that's all it can handle. However, we want to limit users to certain machines, but the application doesn't provide for this kind of limitation. We can extend a users entry - say we define objectclass appx, with one multivalued attribute called appxhosts. In a users entry, we add objectclass appx, and populate appxhosts with the list of hosts we want that user to access. We then create appropriate aci's for each server such that the server can only see entries with appxhosts=hostname of the server looking up users for authentication. If the server can't "see" the user in LDAP when it looks up their uid, it can't authenticate them, and you effectively limit which servers a given user can log into.
This example is a bit oversimplified - if you allow anonymous access, you have to prevent that access from allowing the server to see these users, etc, but it gives a reasonable basis to work from. BTW - this is not the only way of doing this - with FDS, you can also use roles, you can probably do similar things with groups, etc - sometimes you have to be creative, and different apps will limit what you can do in different ways.
Anyway, what you'll find in the end is that you'll have to figure this out for each service you integrate against your ldap service - every one works a little bit different. There is no generic, universal answer :)
- Jeff
speedy zinc wrote:
Hi all,
Sorry if the question is not FDS-specific. I'm a university student and trying to learn how LDAP is used in managing access control. I can setup FDS, create basic schema (mostly user information), setup postfix to use FDS as authentication server, set up PAM on linux to use FDS as authentication server, etc. But that's only limited to user authentication.
Everyone is talking about how LDAP can be used to manage access, in fact, it is on every vendor's features list. But I've never seen a real example of how it is used. Maybe I'm dumb, but I just couldn't imagine how it is set up and used.
Let's take the following scenario.
I have a network of servers, running different services and applications. Let's say, I called my machines M1, M2, M3, and called the services S1, S2, S3. All machines runs all 3 services. I have 3 groups of users, G1, G2, G3.
Now, the question is, how can use LDAP to manage access control of my users? Let's say, I want to let users in G1 to access S1 and S2 on M1 only. And here are the requirements:
G1 -> M1(S1, S2) G2 -> M1(S3), M2(S1, S2, S3) G3 -> M3(S1, S2, S3)
Maybe I'm not understanding the meaning of "access control" correctly. But I just could not figure out how to set up to achieve this goal.
What I want to know, besides the standard schema for storing user information, how do I:
- define the schema for storing access control
information?
- tell the servers and services that specific user has
what access permissions?
- define extensible schema, so that if I add more
servers and applications to my network, I can add new access control information without having to re-design the schema? If I have to use any features that are specific to FDS (ie. non-standard), so be it.
Gurus on this list, mind giving any hint on that? Or if anyone could give a real life example, that would great.
Thanks in advance
sz
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Thanks all for replying and suggestion.
--- Jeff Clowser jclowser@unitedmessaging.com wrote:
As a forth example (and one similar to what you proposed), you can sometimes combine aci's and application level access control to get around some limitations in the service that is using ldap: Say we have a server that looks at ldap for user authentication. If it finds the user, it allows it in, and that's all it can handle. However, we want to limit users to certain machines, but the application doesn't provide for this kind of limitation. We can extend a users entry - say we define objectclass appx, with one multivalued attribute called appxhosts. In a users entry, we add objectclass appx, and populate appxhosts with the list of hosts we want that user to access. We then create appropriate aci's for each server such that the server can only see entries with appxhosts=hostname of the server looking up users for authentication. If the server can't "see" the user in LDAP when it looks up their uid, it can't authenticate them, and you effectively limit which servers a given user can log into.
Let's say, my apps have some specific needs for data, which is not covered by existing standard schema. So, I create extended schema. Let's say I have 3 apps right now, and I can't forsee what future apps will need in terms of schema definition.
And let's say I've been using the FDS for 2 years, and have 20K users. Then I want to add new apps, which require to extend schema again. Assuming that I don't have to change any existing schema, do I have to rebuild the whole ldap directory, or can I just add the new schema, and tell the server that the new attributes are now allowed in inetOrgPerson/Person/posixAccount/etc?
The important thing is, I don't want to rebuild anything, not to interrupt any service.
I see there are quite a few of Netscape schema, for specific apps, such as Collabra Server, etc. How do I add app-specific schema like that without rebuilding the directory? Or do I have to rebuild it everytime a new schema is added?
Please bear with me, I have no real life experience with LDAP, just learning here, and throw in the questions that I can't figure out from googling :)
Again, thanks for all.
sz
__________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of speedy zinc Sent: Tuesday, October 18, 2005 5:28 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] How is access control done?
directory, or can I just add the new schema, and tell the server that the new attributes are now allowed in inetOrgPerson/Person/posixAccount/etc?
You _can_ do that but it highly discouraged. Schema (particularly standard schema) is intended to remain static so that all clients know what they are dealing with.
The important thing is, I don't want to rebuild anything, not to interrupt any service.
You can create new schema for an auxillary objectclass that represents your application and add that objectclass to the users that need it.
I see there are quite a few of Netscape schema, for specific apps, such as Collabra Server, etc. How do I add app-specific schema like that without rebuilding the directory? Or do I have to rebuild it everytime a new schema is added?
As mentioned above, simply add the objectclass to an existing user entry. You should never have to rebuild anything.
Ok, thanks,I got the idea.
--- Pete Rowley pete@openrowley.com wrote:
You can create new schema for an auxillary objectclass that represents your application and add that objectclass to the users that need it.
Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to a user, from the console? :)
thanks
sz
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
speedy zinc wrote:
Ok, thanks,I got the idea.
--- Pete Rowley pete@openrowley.com wrote:
You can create new schema for an auxillary objectclass that represents your application and add that objectclass to the users that need it.
Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to a user, from the console? :)
Edit the user's entry. Press the Advanced... button. Select the objectclass field and press Add Value. From the popup list, select your new objectclass. You may have to save and exit the window before the next step, which is to Add Attribute... to add your new attributes to your entry.
thanks
sz
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
--- Rich Megginson rmeggins@redhat.com wrote:
Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to
a
user, from the console? :)
Edit the user's entry. Press the Advanced... button. Select the objectclass field and press Add Value. From the popup list, select your new objectclass. You may have to save and exit the window before the next step, which is to Add Attribute... to add your new attributes to your entry.
Stupid me, I was clicking on the label part (left side), and was wondering why the Add Value button is still disabled. I have to click on the right side...
I don't see my objectclass on the list of available objectclass. I used the following to create it:
1. Click on the Configuration tab 2. Select Schema 3. Click Create to create a new object class 4. Add all the attributes I want, to the must and may lists
When I tried to add the new objectclass to a user, I don't see my objectclass on the list.
What did I do wrong?
thanks for all
sz
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hm - sounds like a bug. You may have to restart the console in order for it to pick up your new schema.
speedy zinc wrote:
--- Rich Megginson rmeggins@redhat.com wrote:
Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to
a
user, from the console? :)
Edit the user's entry. Press the Advanced... button. Select the objectclass field and press Add Value. From the popup list, select your new objectclass. You may have to save and exit the window before the next step, which is to Add Attribute... to add your new attributes to your entry.
Stupid me, I was clicking on the label part (left side), and was wondering why the Add Value button is still disabled. I have to click on the right side...
I don't see my objectclass on the list of available objectclass. I used the following to create it:
- Click on the Configuration tab
- Select Schema
- Click Create to create a new object class
- Add all the attributes I want, to the must and may
lists
When I tried to add the new objectclass to a user, I don't see my objectclass on the list.
What did I do wrong?
thanks for all
sz
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
--- Rich Megginson rmeggins@redhat.com wrote:
Hm - sounds like a bug. You may have to restart the console in order for it to pick up your new schema.
Got it, thanks all for answering the questions.
One question though, if I add a new schema file in the
slapd-serverid/config/schema
directory, how can I tell FDS to reload the scheme files without restarting the server?
thanks
sz
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
speedy zinc wrote:
--- Rich Megginson rmeggins@redhat.com wrote:
Hm - sounds like a bug. You may have to restart the console in order for it to pick up your new schema.
Got it, thanks all for answering the questions.
One question though, if I add a new schema file in the
slapd-serverid/config/schema
directory, how can I tell FDS to reload the scheme files without restarting the server?
You can't. We will hopefully address this problem in an upcoming release (probably not 7.2).
thanks
sz
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Yeah - I think console caches some of this stuff. You don't have to restart ldap or admin server, just console.
- Jeff
Rich Megginson wrote:
Hm - sounds like a bug. You may have to restart the console in order for it to pick up your new schema.
speedy zinc wrote:
--- Rich Megginson rmeggins@redhat.com wrote:
Ok, I've created an object in the console, with the attributes I want. Now do I add an object class to
a
user, from the console? :)
Edit the user's entry. Press the Advanced... button. Select the objectclass field and press Add Value. From the popup list, select your new objectclass. You may have to save and exit the window before the next step, which is to Add Attribute... to add your new attributes to your entry.
Stupid me, I was clicking on the label part (left side), and was wondering why the Add Value button is still disabled. I have to click on the right side...
I don't see my objectclass on the list of available objectclass. I used the following to create it:
- Click on the Configuration tab
- Select Schema
- Click Create to create a new object class
- Add all the attributes I want, to the must and may
lists
When I tried to add the new objectclass to a user, I don't see my objectclass on the list.
What did I do wrong?
thanks for all
sz
speedy zinc wrote:
Let's say, my apps have some specific needs for data, which is not covered by existing standard schema. So, I create extended schema. Let's say I have 3 apps right now, and I can't forsee what future apps will need in terms of schema definition.
And let's say I've been using the FDS for 2 years, and have 20K users. Then I want to add new apps, which require to extend schema again. Assuming that I don't have to change any existing schema, do I have to rebuild the whole ldap directory, or can I just add the new schema, and tell the server that the new attributes are now allowed in inetOrgPerson/Person/posixAccount/etc?
If you are _extending_ your schema, you can add the new schema elements, then populate new and existing entries with the new fields and such. You do not have to rebuild your directory. If you change the schema such that you remove some attributes, or change their type, etc, things get a little trickier, but in general, you shouldn't need to do this to add support for new apps.
I would recommend strongly against modifying existing objectclasses, especially standardized ones. Instead, create a new objectclass that is inherited from the one you want to extend (or from objectclass top if it's something truely new)
The important thing is, I don't want to rebuild anything, not to interrupt any service.
If you make the changes via console, they should take affect without even having to restart the server. I you edit the schema files by hand, you have to restart the server for it to take effect. Note that if your schema files are not just right, the server may not start.
I see there are quite a few of Netscape schema, for specific apps, such as Collabra Server, etc. How do I add app-specific schema like that without rebuilding the directory? Or do I have to rebuild it everytime a new schema is added?
If you add things via console, it adds to 99user.ldif. But... if you want to organize things a bit better, you can create separate files (say, 99appx.ldif for appx specific schema, etc). You can craft these by hand, but it might be easier to create the schema in console on a test server, then copy/paste the appropriate definitions into a new file and drop that onto your production server. You'll need a restart for this to take effect.
Somewhere along the line, schema in 99user.ldif started being replicated to replicas to keep the schema in sync. Not sure if this happened before or after the Sun/Netscape split of the server. Any custom files you create, plus the 99user.ldif (if it's not replicated) will have to be copied to replica servers.
Please bear with me, I have no real life experience with LDAP, just learning here, and throw in the questions that I can't figure out from googling :)
Sure - everyone has to start somewhere :)
- Jeff
389-users@lists.fedoraproject.org
-
Chen Shaopeng -
Jeff Clowser -
Pete Rowley -
Rich Megginson -
speedy zinc