perl-ldap-dev

proxy

[Bing D. <Bi...@ci...>]

I apologize if what I said is sort of off topic.  I appreciate it if
somebody can point me to the right direction.

Does anybody have any experience with implementing proxy in LDAP? 
Specifically, here is what I want to accomplish:

Assume there are two entries in the directory server like this:

===================
entry1:

dn: cn=owner1, ou=xxx, dc=xxx, dc=xxx
name: owner1
phonenumber: xxx
proxy: owner2

entry2:

dn: cn=owner2, ou=xxx, dc=xxx, dc=xxx
name: owner2
phonenumber: xxx
===================

As you can see, 'owner1' assigns 'owner2' as his proxy.  So besides DSA
manager, only owner2 is able to modify owner1's entry.

So far I have no idea where to start.  Is this an ACL related issue?  

BTW, we use MessagingDirect's directory server.

Bing





Bing Du <bi...@ta..., 979-845-9577>
Texas A&M University, CIS, Operating Systems, Unix

Re: proxy

[Chris R. <chr...@me...>]

Bing Du <Bi...@ci...> wrote:
> I apologize if what I said is sort of off topic.  I appreciate it if
> somebody can point me to the right direction.
> 
> Does anybody have any experience with implementing proxy in LDAP? 
> Specifically, here is what I want to accomplish:
> 
> Assume there are two entries in the directory server like this:
> 
> ===================
> entry1:
> 
> dn: cn=owner1, ou=xxx, dc=xxx, dc=xxx
> name: owner1
> phonenumber: xxx
> proxy: owner2
> 
> entry2:
> 
> dn: cn=owner2, ou=xxx, dc=xxx, dc=xxx
> name: owner2
> phonenumber: xxx
> ===================
> 
> As you can see, 'owner1' assigns 'owner2' as his proxy.  So besides DSA
> manager, only owner2 is able to modify owner1's entry.
>
> So far I have no idea where to start.  Is this an ACL related issue?  

Yes, it's an access control issue. In the general case (allowing the proxy
entry and the target entry to be anywhere in the DIT) you will need to add
entryACI (an operational attribute with an ASN.1 (ie not text) syntax) to
every entry with a proxy. If you keep all the entries maintained by one
proxy in the same subtree (exclusively) then you would want to use
prescriptiveACI (ACI which applies to all entries in a subtree.)

Constructing the ACI values is not a huge problem if you can use
Convert::ASN1 and know what the ACIitem syntax is (hint: read the manual!)

This will technically work, but would cause a big management overhead
especially if using the entryACI scheme. (eg how do you change the overall
policy defining what the proxies are allowed to do to the entry?)

You may want to carefully consider what you are trying to achieve here.

Cheers,

Chris