wallet ldap question

Ross Smith rjsm at umich.edu
Wed Oct 24 12:34:42 EDT 2012


I have enough other changes implemented to start testing this.  I've added
the code to my install, and the metadata to Schema.pm to generate the table
entries, but I get the error "wallet: unknown ACL scheme ldap-group".  I
figured I missed something until I tried to add a ldap-attr acl and got a
similar error. I also get the error with a pristine install of wallet from
git master.  What else might need to be done to get wallet to accept ldap
acls?


Ross Smith <rjsm at umich.edu>
College of Engineering - CAEN - Unix and Linux Support



On Tue, Aug 28, 2012 at 4:18 PM, Russ Allbery <rra at stanford.edu> wrote:

> Russ Allbery <rra at stanford.edu> writes:
> > Ross Smith <rjsm at umich.edu> writes:
>
> >> What is the best course of implementing something like this?  I was
> >> planning to use the existing ldap-attr code as a starting point and
> >> implement this there?
>
> > That's what I'd do.
>
> >
> http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group
>
> > looks like the right way to construct the LDAP query to do a memberof
> > check.
>
> Some more thoughts on this:
>
> You need to decide whether to store in the ACL the full DN of the group or
> to store in the configuration some way to construct the DN given the group
> name.  I would lean towards the former; it's a little uglier, but it's the
> most general, in case you have groups in multiple DN stems.
>
> I would therefore lean towards an ACL syntax like:
>
>     ldap-group cn=some-group,cn=groups,dc=example,dc=org
>
> (This is, in fact, exactly why the new LDAP ACL scheme is called ldap-attr
> and not just ldap; I knew we were going to need an ldap-group eventually.)
>
> You should then be able to reuse the existing code and configuration for
> how to map the authenticated user to a DN.  Once you have the user's DN
> and the DN of the LDAP group (from the ACL information), you can then
> either do a memberof query (if you assume that the LDAP server has
> memberof support), or do something more complex where you do a compare to
> see if the group's member attribute contains the DN of the user.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>


More information about the Kerberos mailing list