[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?

To: openldap-technical@openldap.org
Subject: Re: role based authorization -> dynacl module?
From: Daniel Tröder <troeder@univention.de>
Date: Wed, 25 Apr 2018 18:31:55 +0200
Content-language: en-US
In-reply-to: <c0c10eaa-f04a-3f47-d54e-9a4847d3318b@stroeder.com>
Openpgp: id=4E657D63DD95C8A93C6F025CEBADCFE3FA80815D
References: <feb332f1-c05d-ba57-3d3b-63887434d6f9@univention.de> <E2CF563F-24E4-4B9D-9AA2-E055E54E408C@symas.com> <584b8490-c829-3bef-f07a-a203d361f58e@univention.de> <c0c10eaa-f04a-3f47-d54e-9a4847d3318b@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 04/25/2018 11:58 AM, Michael Ströder wrote:
> Daniel Tröder wrote:
>> The product is not new, but exists for some years now
>> (https://www.univention.com/products/ucsschool/). It is completely
>> open source and free as in beer (except support ofc).
>> The LDAP tree is replicated from the master to >=1 LDAP slave per
>> school. All of a schools LDAP objects are in a ou=.. subtree.
>> For security reasons the replication to the LDAP servers in the school
>> slaves is "selective": only global (above ou=..) objects and their own
>> OU subtree is replicated to each slave. With the exception of user
>> objects, which can "belong" to multiple schools (OUs) by having them
>> listed in a "school" attribute (and their groups as well). The ACLs
>> are written so that user objects and their references (groups) can
>> also be replicated to those "additional" OUs.
> 
> Frankly I fail to understand how you securely handle cross-OU references
> and partial replication of OUs.
Fun like this:

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern
access to filter="objectClass=ucsschoolStudent"
attrs=krb5KeyVersionNumber,krb5KDCFlags,krb5Key,krb5PasswordEnd,sambaAcctF
lags,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,shadowLastChange,shadowMax,userPassword,pwhistory,sambaPwdCanChange,s
ambaPwdMustChange,sambaPasswordHistory,sambaBadPasswordCount
        by set="this/ucsschoolSchool &
([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%
28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool"
write
        by * +0 break


root@m65:/etc/ldap# grep 'access to' slapd.conf | wc -l
100
root@m65:/etc/ldap# grep 'by set' slapd.conf | wc -l
35

UCS@school ACLs:
https://github.com/univention/ucs-school/tree/4.3/ucs-school-ldap-acls-master

UCS ACLs:
https://github.com/univention/univention-corporate-server/tree/4.3-0/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d

> The other stuff pretty much sounds like what Æ-DIR is implementing with
> set-based ACLs (replace your "school/OU" by Æ-DIR's zone).
Yes - I'm very intrigued by Æ-DIR!

> But as said: Sets are really slow. I'm curious to hear whether your
> dynacl module is faster than an equivalent set-based ACL approach.
Yes... we have customers with >100.000 objects and when a query has to
many constraints it can take several minutes to complete. We are now
trying to get the dynacl module to replace as much set-ACLs as possible
and comparing query speed. For now the motto is "not be slower" :) while
gaining simplicity and extensibility. I'll keep you posted, and ofc
it'll be open source :)

Greetings
Daniel

References:
- role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>
- Re: role based authorization -> dynacl module?
  - From: Shawn McKinney <smckinney@symas.com>
- Re: role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>
- Re: role based authorization -> dynacl module?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: role based authorization -> dynacl module?
Next by Date: Separate trees openldap
Index(es):
- Chronological
- Thread