[Fedora-directory-users] How is access control done?
speedy zinc
speedy_zinc at yahoo.com
Wed Oct 19 00:27:52 UTC 2005
Thanks all for replying and suggestion.
--- Jeff Clowser <jclowser at unitedmessaging.com> wrote:
> As a forth example (and one similar to what you
> proposed), you can
> sometimes combine aci's and application level access
> control to get
> around some limitations in the service that is using
> ldap:
> Say we have a server that looks at ldap for user
> authentication. If it
> finds the user, it allows it in, and that's all it
> can handle. However,
> we want to limit users to certain machines, but the
> application doesn't
> provide for this kind of limitation.
> We can extend a users entry - say we define
> objectclass appx, with one
> multivalued attribute called appxhosts.
> In a users entry, we add objectclass appx, and
> populate appxhosts with
> the list of hosts we want that user to access.
> We then create appropriate aci's for each server
> such that the server
> can only see entries with appxhosts=hostname of the
> server looking up
> users for authentication.
> If the server can't "see" the user in LDAP when it
> looks up their uid,
> it can't authenticate them, and you effectively
> limit which servers a
> given user can log into.
>
Let's say, my apps have some specific needs for data,
which is not covered by existing standard schema. So,
I create extended schema. Let's say I have 3 apps
right now, and I can't forsee what future apps will
need in terms of schema definition.
And let's say I've been using the FDS for 2 years, and
have 20K users. Then I want to add new apps, which
require to extend schema again. Assuming that I don't
have to change any existing schema, do I have to
rebuild the whole ldap directory, or can I just add
the new schema, and tell the server that the new
attributes are now allowed in
inetOrgPerson/Person/posixAccount/etc?
The important thing is, I don't want to rebuild
anything, not to interrupt any service.
I see there are quite a few of Netscape schema, for
specific apps, such as Collabra Server, etc. How do I
add app-specific schema like that without rebuilding
the directory? Or do I have to rebuild it everytime a
new schema is added?
Please bear with me, I have no real life experience
with LDAP, just learning here, and throw in the
questions that I can't figure out from googling :)
Again, thanks for all.
sz
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
More information about the Fedora-directory-users
mailing list