Dear Peter As per your suggestion In inetOrgPerson I created a custom attribute called allowedService and now the users list is as
dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user1
allowedService: zabbix
allowedService: gitlab
dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user2
allowedService: gitlab
dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user3
allowedService: gitlab
Now we have two applications zabbix and gitlb. For zabbix user1 need to
have access others not. For gitlab three users should have access.
We have created two organizational units as
dn: ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: zabbix
dn: ou=gitlab,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: gitlab
In zabbix application configured as follows:
host: 192.168.1.1
base: ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
port: 636
uid: uid
bind_dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
password: password
In slapd.conf file we added acl as:
access to dn.base="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
filter="(allowedService=zabbix)" attrs=uid,userPassword by
dn.exact="ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" read by * break
But with this configuration we are unable to login to zabix application
with user user1.
Can you please help me on it. Let me know I am following the correct way?
Can you please update me the correct steps we need to done.
Thanks in advance.
Geo
Skype id: geopcgeo
On Thu, May 9, 2013 at 4:30 PM, Geo P.C. <[email protected]> wrote:
> Dear Peter
>
> Thanks for your update. As you specified I am trying to set up this
> option. Thanks again
>
> Geo.
>
>
>
> On Tue, May 7, 2013 at 8:34 PM, Peter Gietz <[email protected]> wrote:
>
>> Hi Geo,
>>
>> I don't think that alias object will be of use for you. Frankly I don't
>> quite understand how you would like to use that.
>>
>> What you should do as I proposed (solution 2b.):
>>
>> define an attribute like allowedService and manage that instead of using
>> groups.
>>
>> create accounts for each application (all applications have binddn and
>> bind password to connect to an ldap server)
>>
>> And the restrict access rights of these DNs via ACLs such as :
>>
>> access to filter=(allowedService=Wordpress)
>> by cn=wordpress,ou=serviceaccounts,dc=examle,dc=com
>> read
>> ...
>>
>> access to * by * none
>>
>> Cheers,
>>
>> Peter
>>
>>
>>
>> Am 07.05.2013 14:59, schrieb Geo P.C.:
>>
>> Dear Peter,
>>
>> Thanks for your reply. In order to login to an application from a
>> selected group only we checked alias option. But it was not working. Please
>> see the details:
>>
>> In application we have given base dn as ou=People,dc=geo,dc=com and the
>> user dn: uid=geo_pc,ou=People,dc=geo,dc=com can able to login to the
>> application successfully.
>>
>> Now we created an alias as follows:
>>
>> dn: uid=geo_pc,ou=Applications,ou=Groups,dc=geo,dc=com
>>
>> aliasedobjectname: uid=geo_pc,ou=People,dc=geo,dc=com
>>
>> objectclass: alias
>>
>> objectclass: extensibleObject
>>
>> objectclass: top
>>
>> uid: geo_pc
>>
>> Now in application we have given base dn as
>> ou=Applications,ou=Groups,dc=geo,dc=com but with this user
>> ou=Applications,ou=Groups,dc=geo,dc=com we are unable to login to the
>> application.
>>
>> Please let us know is there any additional configuration we need to done.
>> Can you please help me on it.
>>
>>
>>
>>
>> Thanks
>> Geo
>>
>>
>>
>>
>>
>>
>> *Thanks & Regards
>> Geo P.C.
>> www.geopc.co.cc*
>>
>>
>> On Tue, May 7, 2013 at 5:51 PM, Peter Gietz <[email protected]> wrote:
>>
>>>
>>> 1.) If you had a config parameter like search filter in your application
>>> you could use that to make unwanted users invisible for the application.
>>> But this means you can't use group entries , but dynamic groups, i.e. a
>>> group is an ldapfilter, e.g. "(allowedServices=Wordpress)" and you manage
>>> group privileges in an own attribute allowedServices.
>>>
>>> 2.) You could also do this via ACLs in the server, each application
>>> using its own bind dn, which can then have read access to a subset of the
>>> data. Here you can use a.) group entries or b.) dynamic groups
>>>
>>> 3.) Of course you could also have a separate replica for each
>>> application with filtered entries, but only with dynamic groups (see 1.),
>>> but that is a lot of overhead. Beware: combining this with 2. i.e. group
>>> ACLs on replica bindDN is a rathole, don't do that!
>>>
>>> 4.) IMHO best would be to file a feature request to the application
>>> developers for supporting LDAP-groups
>>>
>>>
>>> if not 4.) my recommendation would be 2a.) being the minimal invasive
>>> alternative.
>>>
>>> Hope this helps,
>>>
>>> Peter
>>>
>>>
>>> Am 06.05.2013 12:21, schrieb Geo P.C.:
>>>
>>> Hi
>>>
>>> We are using many applications like zabbix, phabricator, AC etc. We need
>>> to integrate LDAP in all these applications. These application support LDAP
>>> but not group based authentication.
>>>
>>> Please let us know is there any option to restrict selected users to
>>> login. We created all users under ou ‘users’ .
>>>
>>> [image: Inline image 1]
>>>
>>> On these application we need to login certain users only. How we can
>>> restrict it as we can’t able to restrict on application side
>>>
>>> In these application they provide only “Base DN” and “Search Attribute”
>>> so we can’t able to give dn: ou=users,ou=system as it gives access to all
>>> users.
>>>
>>> So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and
>>> this group contains only user1 and user2. SO it will restrict users.
>>>
>>> Please let us know how we can implement this scenario. Thanks in advance
>>> please help us to solve this issue.
>>>
>>> Thanks
>>> Geo
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Peter Gietz, CEO
>>>
>>> DAASI International GmbH
>>> Europaplatz 3
>>> D-72072 Tübingen
>>> Germany
>>>
>>> phone: +49 7071 407109-0
>>> fax: +49 7071 407109-9
>>> email: [email protected]
>>> web: www.daasi.de
>>>
>>> Sitz der Gesellschaft: Tübingen
>>> Registergericht: Amtsgericht Stuttgart, HRB 382175
>>> Geschäftsleitung: Peter Gietz
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Peter Gietz, CEO
>>
>> DAASI International GmbH
>> Europaplatz 3
>> D-72072 Tübingen
>> Germany
>>
>> phone: +49 7071 407109-0
>> fax: +49 7071 407109-9
>> email: [email protected]
>> web: www.daasi.de
>>
>> Sitz der Gesellschaft: Tübingen
>> Registergericht: Amtsgericht Stuttgart, HRB 382175
>> Geschäftsleitung: Peter Gietz
>>
>>
>>
>>
>
<<image/jpeg>>
