1 / 15

AACLS Documentation

AACLS Documentation. LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university Licensing and trademarks. Internal LDAP Service : Secured and authenticated transfer of private and public information.

Download Presentation

AACLS Documentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AACLS Documentation • LDAP and releasing information issue • ACL and ACI • AACLS Model • Physical Architecture • Logical Architecture • Example : a French university • Licensing and trademarks

  2. Internal LDAP Service :Secured and authenticated transfer of private and public information System Purpose Internet LDAP Internal Server Email Server (POP) VPN Server ??? Public LDAP Service : insecure and unauthenticated transfer of public information

  3. Applications integration issue :information access control model ACL ACI Pro Cons Pro Cons • Simple • Time saving • Static • Limited • Powerful • Dynamic • Complex • Time consuming Each object gets its ACLs to control its access rights. But with N entries with P attributes, the worst case will need N²*P ACI to control access to these entries. ACL are suitable for single entry right management but there’s no way to have dynamic rights management.

  4. ACL example : simple but static access to dn.exact="cn=My Group,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none access to dn.exact="cn=My Group3,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none Two different groups need two ACL for the same rights and these ACL are written in the configuration file (slapd.conf)

  5. ACI example : complex and misfit dn: uid=mccarthy,ou=people,l=dallas,o=acme uid: mccarthy givenName: Kevin sn: McCarthy cn: Kevin McCarthy mail: mccarthy@acmewidgets.com userPassword: foobar objectClass: top objectClass: person objectClass: openLDAPacl OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise admins,ou=groups,o=acme OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas admins,ou=groups,l=dallas,o=acme OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail;r,s,c;[all]#access-id#uid=user1,ou=people,l=dallas,o=acme OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all acme,ou=groups,o=acme These ACI need to be written in each entry. Modifying an access rule, would imply to modify all of the entries which are concerned

  6. AACLS model • AACLS have been created to fit to special needs about information management through a more powerful and simple system than ACI. • The rights are managed through rules which are stored in the directory and dynamically analyzed. This system fits to a great number of cases and in particular when ACL and ACI are completely unable to operate. These cases are described by relations written in a simple but specific language. • Complex relationships between entries are probably the most difficult cases and need to use all the power of the LDAP tree concept to be described. • That’s why this model is useful for you if : • you are using a true tree structure – not a flat one ! • you need to manage information access rights with strict rules on a great number of entries • you are going to use your directory to share and control the access to public and private information. • Because this model is very powerful, it is also very time consuming. That’s why the piece of code is only provided as a gateway.

  7. Internet LDAP Internal Server System Purpose Email Server (POP) VPN Server ??? OK ! AACL gateways OK ! intranet, shared control systems

  8. UPMC Example • The structure : • a flat tree with all personal data • trees representing the university schooling schema with aliases to link the people • The constraint : By default nothing is readable. • The need : Students which are in the same diploma need to “see” themselves

  9. UPMC DIT People Pedagogic Tree. Administrative Registration AACL MBA MCS Diploma families relationship Management Finance Diploma Actor Math Finance Teaching modules Target Links to people

  10. UPMC – Data example To explain, we need to consider some data examples : Actor (or author) personal DN : uid=A,ou=People,dc=upmc.fr Target personal DN : uid=B,ou=People,dc=upmc.fr Actor to Math module link : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr Target to Finance module link : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr

  11. UPMC – Relation example • So the “human” relation : • take Actor RDN • RESULT : uid=A • look at the RDN in the ou=AR, dc=upmc.fr • OPERATION : search with base=“ou=AR, dc=upmc.fr” and filter=“uid=A” • R. : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr • get two levels up • O. : sup(“uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr”,2) • R. : ou=Finance,ou=MBA,ou=AR,dc=upmc.fr • look at the Target RDN • O. : search with base=“ou=Finance,ou=MBA,ou=AR,dc=upmc.fr” and filter=“uid=B” • R. : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr • If you find at least one result, this is because the target and the actor are registered in the same diploma. That’s it !

  12. UPMC – AACL example • And now the AACL expression : • take Actor RDN • “uid=$authorRDN” • look at the RDN in the ou=AR, dc=upmc.fr • search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”) • get two levels up • sup(search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”), 2) • look at the Target RDN • search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), • “uid=$targetRDN”)

  13. UPMC – AACL complete example We have the relationship between the author and the target : relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) Now we need to precise on which attribute(s) we want to use this relation : attribute: uid attribute: cn attribute: mail attribute: telephoneNumber And then we need to precise the type of access allowed : rights: r A optional description : description: give the right to students in the same diploma to see themselves

  14. UPMC – AACL ldif entry And now the corresponding AACL LDAP entry : dn: cn=1, ou=ACL, dc=upmc.fr cn: 1 objectClass: aacls objectClass: top relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) attribute: uid attribute: cn attribute: mail attribute: telephoneNumber rights: r description: give the right to students in the same diploma to see themselves

  15. Licensing • This backend (source code and documentation) is released under GPL license. • This backend is designed specifically for OpenLDAP Software but is not a product of the OpenLDAP Project <http://www.openldap.org>. • OpenLDAP is a registered trademark of the OpenLDAP Foundation

More Related