[Fedora-directory-users] Ideas for fds

jclowser at unitedmessaging.com jclowser at unitedmessaging.com
Mon Jun 13 02:23:09 UTC 2005 

David Boreham wrote:

>
>> In the case of the VPN Template (and I only worked on this briefly a 
>> couple years back), I believe the checkpoint stuff worked like this:
>>
>> 1.  They created a new vpntemplate schema extension of 
>> groupofuniquenames
>> 2.  This extended group had attributes to limit times, hosts, and a 
>> bunch of other things they could access when connected to the VPN.
>> 3.  When a user logged into the VPN, it would auth the user, then 
>> search for  something like 
>> (&(objectclass=vpntemplate)(uniquemember=<authedusersdn>)).
>> 4.  If that returned a group, these other attributes in the returned 
>> vpn group define what access the user has.
>
>
> Interesting. This was what role-based-cos was designed for.
> Would that have worked for this application ?
> (user's role drives cos, which returns a set of attribute values
> on the user's entry from cos).

I think it would be feasible in that role-based cos could provide the 
equivalent end result, (if the vendor changed their product to know how 
to look at roles?).  Assuming a closed source COTS application, 
hardcoded to the above filter (looking at uniquemember for membership), 
is there a way to make roles based-cos match on that search?  I 
understand that changing apps to support roles should be easy, but 
unless you _can_ change the app, that doesn't help much, unfortunately.  
How wide spread has adoption of Roles been (or does it need to be)?  
Maybe with the introduction of FDS into the open source world, that will 
change soon.

An example entry would be something like the following (making up the 
attributes and stuff, but the form is close enough as an example):

objectclass: top
objectclass: groupofuniquenames
objectclass: vpntemplate
accesstime: 0900-1800
accesshosts: host1.example.com
accesshosts: host2.example.com
uniquemember: uid=jdoe,ou=people,o=example.com
cn: Engineering VPN
...

 From what I remember, that vpn server searched for the users dn in 
uniquemember to find a template entry, and the above is what it is 
expecting to find.  How would I set up Roles and CoS entries that would 
work without changing the app (is that possible)?  Can I set up 
Roles/CoS that would populate the uniquemember attribute of the 
vpntemplate entry?  Is that searchable (if I remember correctly, early 
versions of CoS didn't allow you to search on cos populated attributes, 
later versions might have, and I'm not sure where in that line FDS is).

My job has tended to be more one of deploying existing software and 
finding a way to make it all work together, rather than being the 
developer writing the software (though I do do some coding), so I don't 
necessarily have the option of changing the app to use a new form.  Some 
apps are _really_ bad (depend on specific tree structures, etc - my 
"favorite" are those that are "ldap integrated", meaning "the first time 
you log in, it reads your info and copies it to a relational db and uses 
that from there on..."), and businesses don't always allow you to select 
apps based on how well they properly integrate against ldap :-(

Admittedly, I have not played with Roles too much - never _thought_ they 
really fit anything I was doing, but maybe it's time to take another 
look at them (esp if I can resolve the above with them :) ).

 - Jeff

More information about the Fedora-directory-users mailing list