Hi Zisis On Wed, May 30, 2012 at 3:58 PM, Zisis Sialveras <zisi...@gmail.com> wrote: > I am currently coding the LDAP-based policy plugin and I want to discuss > some things with you to give me some ideas. This is short introduction > about my plugin functionality: Whenever a user tries to read/write to a > schema, the plugin will search in ldap database for the user and the schema. > Depending on users' and schemas' attributes the ldap-policy plugin will > decide if access should be granted or denied to the user. > > The problem is that I am having "hard" time to decide the arrangement of > users and schemas in LDAP database. > The first that came into my mind is that users should be in directory > cn=RANDOM_USER,ou=users,dc=BASE_DN. Users has posixAccount objectclass so > they must define their uidNumber and gidNumber.
Do you plan to support the case that user belongs to multiple groups? Ie in Unix I have one gidNumber that is the primary group (for instance username=hingo and groupname=hingo), but I can also belong to any other group (like users, admins, projectmanhattan, etc...). I think what you plan above with ou=users is correct, but you should take into account that the gidNumber isn't necessarily the only group I belong to. (Note that ou=users is of course an option for auth_ldap plugin, so it could be anything else than "users" too.) Btw, for a first version, I think you should keep it simple and not worry about groups at all. (Note that other drizzle auth and policy plugins don't have a concept of groups in Drizzle, so you'd still be "feature complete" even without groups.) > And schemas are in > cn=RANDOM_SCHEMA,ou=schemas,dc=BASE_DN and they have attribute like > allowedUsers and allowedGroups (I have already create those attrs because I > couldn't find anything else to use, feel free to msg me if you any better > solution). So after getting these attributes I compare them and decide if > user is authorized. > I think this is ok, and again, make sure the ou and dc are in fact configurable options for ldap_policy plugin. How does the allowedUsers work? Is it a single attribute and you put a comma separated list there? Or does the LDAP record contain multiple allowedUsers entries, each containing a single user. (I'm sorry, probably none of us know LDAP so well, so we need to ask these basic questions.) Shouldn't you also support table and process objects? Would they then be in ou=tables and ou=processes? henrik -- henrik.i...@avoinelama.fi +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : drizzle-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
