Menu
▾
▴
[Opensync-commits] r5545 - plugins/ldap-sync
|
From: <svn...@op...> - 2009-04-06 20:19:57
|
Author: scriptor Date: Mon Apr 6 22:19:49 2009 New Revision: 5545 URL: http://www.opensync.org/changeset/5545 Log: Not that I recommend the simple authentication mechanism. But it is foreseeable, that many users will choose right this mechanism. Therefore I should present an alternative version of the access rules, which is suitable for both an SASL based mechanism and the simple mechanism. Moreover, I added some remarks about proxy authorization. Modified: plugins/ldap-sync/README.lyx Modified: plugins/ldap-sync/README.lyx ============================================================================== --- plugins/ldap-sync/README.lyx Mon Apr 6 12:30:16 2009 (r5544) +++ plugins/ldap-sync/README.lyx Mon Apr 6 22:19:49 2009 (r5545) @@ -313,6 +313,10 @@ ctest -R remove_test_ldifs \end_layout +\begin_layout LyX-Code +reset; time ctest -R "^add_mod_del_contact1_and_fastsync" +\end_layout + \begin_layout Standard And in case of problems: \end_layout @@ -325,6 +329,10 @@ ctest -R remove_test_ldifs -V \end_layout +\begin_layout LyX-Code +reset; time ctest -R "^add_mod_del_contact1_and_fastsync" -V +\end_layout + \begin_layout Part Configuration \end_layout @@ -597,6 +605,133 @@ (...) \end_layout +\begin_layout Standard +An alternative configuration file in case you want to provide only +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + with access, but no other users, even though they may have authenticated + themselves. + Note: The following configuration grants access to the +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + only, if he has authenticated himself using an SASL based mechanism. + If he used the simple authentication mechanism, the following access rules + would NOT be sufficient: +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex +ample,dc=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write + +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp +le,dc=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write + +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write by dn="cn=ldap_user,ou=people,dc=example,dc=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.base="cn=Subschema" by * read +\end_layout + +\begin_layout LyX-Code +access to dn.one="ou=people,dc=example,dc=com" by * read +\end_layout + +\begin_layout Standard +A second alternative of the access rights section: Only the +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + is granted access to the addressbook etc, but he may be allowed to use + both an SASL based authentication mechanism and the simple one: +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex +ample,dc=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp +le,dc=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.base="cn=Subschema" by * read +\end_layout + +\begin_layout LyX-Code +access to dn.one="ou=people,dc=example,dc=com" by * read +\end_layout + \begin_layout Subsection Syntax test of the configuration file \end_layout @@ -3339,6 +3474,237 @@ osynctool --discover "sync_ldap_with_evolution" \end_layout +\begin_layout Section +Proxy authorization (authzid) +\end_layout + +\begin_layout Standard +\begin_inset Quotes eld +\end_inset + +Proxy +\begin_inset Quotes erd +\end_inset + + in this context does not have anything to do with a proxy server for http + et al., like squid. + Proxy authorization means, the user authenticates as one particular person, + but acts as a different person. + The user acts on behalf of this other person. +\end_layout + +\begin_layout Standard +In short: +\end_layout + +\begin_layout Itemize +Authentication: answers the question who is basically allowed to do something +\end_layout + +\begin_layout Itemize +Authorization: answers the question to what precisely a particular person + is entitled to do something. + This is about the amount of rights someone has. + How far do his permissions reach. +\end_layout + +\begin_layout Standard +Authorization is the second step. + It does not come to the question about authorization, until someone has + authentiated himself. +\end_layout + +\begin_layout Standard +Say, an LDAP server has the following set of access rules: +\end_layout + +\begin_layout LyX-Code +vim /etc/openldap/slapd.conf +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="cn=ldap_user,dc=ex +ample,dc=com" write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=calendar,dc=example,dc=com" by dn="cn=ldap_user,dc=examp +le,dc=com" write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=todo,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="o=notes,dc=example,dc=com" by dn="cn=ldap_user,dc=example,d +c=com" write +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +With this set of access rules, the user +\begin_inset Quotes eld +\end_inset + +fowly +\begin_inset Quotes erd +\end_inset + + would not be entitled to write to the addressbook. + However, the admin could establish proxy authorization: +\end_layout + +\begin_layout LyX-Code +vim /etc/openldap/slapd.conf +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +authz-policy From +\end_layout + +\begin_layout Standard +This allows the +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + to grant permission to +\begin_inset Quotes eld +\end_inset + +fowly +\begin_inset Quotes erd +\end_inset + + to act on behalf of him, the +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + +: +\end_layout + +\begin_layout LyX-Code +vim authz_from.entrymods +\end_layout + +\begin_layout LyX-Code +dn: cn=ldap_user,ou=people,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +Replace: authzFrom +\end_layout + +\begin_layout LyX-Code +authzFrom: cn=fowly,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +ldapmodify -x -D "cn=root,dc=example,dc=com" -w password -f authz_from.entrymods +\end_layout + +\begin_layout Standard +Quick check (mind the plus sign at the end the command: +\end_layout + +\begin_layout LyX-Code +ldapsearch -x -D "cn=ldap_user,ou=people,dc=example,dc=com" -w secret -LLL + -b "cn=ldap_user,ou=people,dc=example,dc=com" + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +authzFrom: {0}dn:cn=fowly,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +What are the consequences? +\end_layout + +\begin_layout Standard +The following does not grant write access: +\end_layout + +\begin_layout LyX-Code +ldapadd -U "fowly" -w "hidden" -f contact1.ldif +\end_layout + +\begin_layout Standard +whereas this one does: +\end_layout + +\begin_layout LyX-Code +ldapadd -U "fowly" -w "hidden" -X "dn: cn=ldap_user,ou=people,dc=example,dc=com" + -f contact1.ldif +\end_layout + +\begin_layout Standard +With an LDAP server configured as just shown, the user +\begin_inset Quotes eld +\end_inset + +fowly +\begin_inset Quotes erd +\end_inset + + could run a typical +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + and set the +\begin_inset Quotes eld +\end_inset + +authzid +\begin_inset Quotes erd +\end_inset + + variable to +\begin_inset Quotes eld +\end_inset + +dn=ldap_user,ou=people,dc=example,dc=com +\begin_inset Quotes erd +\end_inset + +. +\end_layout + \begin_layout Part Usage \end_layout |
