AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university.

Slides:



Advertisements
Similar presentations
Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.
Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
SIMI: ISO Perspective Al ISO CSU Northridge
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Authenticating REST/Mobile clients using LDAP and OERealm
CIT 470: Advanced Network and System Administration
Understanding Active Directory
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
The EU DataGrid – Information and Monitoring Services The European DataGrid Project Team
Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.
Introduce LDAP 张海鹏 SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
The Directory A distributed database Distributed maintenance.
Is the Apache Directory Server the new challenger to FedoraDS and OpenLDAP ? Emmanuel Lécharny Iktek.
Extending OpenLDAP Luke Howard PADL Software Pty Ltd Copyright © 2003 PADL Software Pty Ltd. All rights reserved. PADL is a registered trademark of PADL.
1 st LDAP Conference 2007, Köln Germany 6-7 September 2007 Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens,
LDAP: LDIF & DSML Fall 2004 Rev. 2. LDIF Light-weight Data Interchange Format RFC 2849 Common format to exchange data entry schema.
Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
HPD Overview Carl Leitner IntraHealth OpenHIE Provider Registry Community Call March 6,
The DSpace Course Module – Configuring LDAP. Module objectives  By the end of this module you will:  Understand how DSpace uses LDAP for authentication.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
Introduction to Lightweight Directory Access Protocol Introduction Danny Conte Conte Consultants Inc. Jan 31 st 2002.
Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.
The HTTP is a standard that all Web browsers and Web servers must speak in order for the Web portion of the Internet to work.
Apache DS 2.0 Emmanuel Lécharny Nextury What's new ?
Database Management Systems (DBMS)
4 October 2001 Tuning in to H.323 / LDAP security What this presentation is about - RADvision ECS registration control via LDAP - information and configs.
Paulo Repa Lightweight Directory Access Protocol Paulo Repa
LDAP (Lightweight Directory Access Protocol)
Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
The EU DataGrid – Information and Monitoring Services The European DataGrid Project Team
LDAP Namespace CNS 4650 Fall 2004 Rev. 2. What is a namespace? Different from XML, C++, Java, etc. Names permitted and used in a directory Can include.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
LDAP: Synchronizing LDAP Information CNS 4650 Fall 2004 Rev. 2.
The FederID project The First Identity Management and Federation Free Software.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.
Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport
of Various FOSS Services for Educational Institutes
gLite Information System
UML Diagrams By Daniel Damaris Novarianto S..
CIT 470: Advanced Network and System Administration
Introduction to LDAP Frank A. Kuse.
Sébastien BAHLOUL LINAGORA 5 April 2006 – ObjectWeb Meeting - Grenoble
UML Diagrams Jung Woo.
Index Object Schema and Replication Infrastructure
Implementation and configuration of LDAP
CEG 2400 Fall 2012 Directory Services - LDAP
LDAP – Light Weight Directory Access Protocol
AMGA Web Interface Vincenzo Milazzo
CIT 470: Advanced Network and System Administration
Database Systems Instructor Name: Lecture-3.
EGEE Middleware: gLite Information Systems (IS)
DATABASES WHAT IS A DATABASE?
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
Presentation transcript:

AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university Licensing and trademarks

LDAP Internal Server Server (POP) VPN Server Internet System Purpose Public LDAP Service : insecure and unauthenticated transfer of public information ??? Internal LDAP Service : Secured and authenticated transfer of private and public information

ACLACI ProCons - Simple - Time saving - Static - Limited ProCons - Powerful - Dynamic - Complex - Time consuming Each object gets its ACLs to control its access rights. But with N entries with P attributes, the worst case will need N²*P ACI to control access to these entries. ACL are suitable for single entry right management but there’s no way to have dynamic rights management. Applications integration issue : information access control model

access to dn.exact="cn=My Group,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none access to dn.exact="cn=My Group3,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none Two different groups need two ACL for the same rights and these ACL are written in the configuration file (slapd.conf) ACL example : simple but static

dn: uid=mccarthy,ou=people,l=dallas,o=acme uid: mccarthy givenName: Kevin sn: McCarthy cn: Kevin McCarthy mail: userPassword: foobar objectClass: top objectClass: person objectClass: openLDAPacl OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise admins,ou=groups,o=acme OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas admins,ou=groups,l=dallas,o=acme OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail;r,s,c;[all]#access-id#uid=user1,ou=people,l=dallas,o=acme OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all acme,ou=groups,o=acme These ACI need to be written in each entry. Modifying an access rule, would imply to modify all of the entries which are concerned ACI example : complex and misfit

AACLS have been created to fit to special needs about information management through a more powerful and simple system than ACI. The rights are managed through rules which are stored in the directory and dynamically analyzed. This system fits to a great number of cases and in particular when ACL and ACI are completely unable to operate. These cases are described by relations written in a simple but specific language. Complex relationships between entries are probably the most difficult cases and need to use all the power of the LDAP tree concept to be described. That’s why this model is useful for you if : - you are using a true tree structure – not a flat one ! - you need to manage information access rights with strict rules on a great number of entries - you are going to use your directory to share and control the access to public and private information. Because this model is very powerful, it is also very time consuming. That’s why the piece of code is only provided as a gateway. AACLS model

LDAP Internal Server Server (POP) VPN Server Internet ??? OK ! AACL gateways OK ! intranet, shared control systems System Purpose

The structure : - a flat tree with all personal data - trees representing the university schooling schema with aliases to link the people The constraint : By default nothing is readable. The need : Students which are in the same diploma need to “see” themselves UPMC Example

AACLPeoplePedagogic Tree.Administrative Registration Diploma families Diploma Teaching modules MBAMCS ManagementFinance MathFinance Links to people Actor Target relationship UPMC DIT

To explain, we need to consider some data examples : Actor (or author) personal DN : uid=A,ou=People,dc=upmc.fr Target personal DN : uid=B,ou=People,dc=upmc.fr Actor to Math module link : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr Target to Finance module link : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr UPMC – Data example

So the “human” relation : - take Actor RDN RESULT : uid=A - look at the RDN in the ou=AR, dc=upmc.fr OPERATION : search with base=“ou=AR, dc=upmc.fr” and filter=“uid=A” R. : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr - get two levels up O. : sup(“uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr”,2) R. : ou=Finance,ou=MBA,ou=AR,dc=upmc.fr - look at the Target RDN O. : search with base=“ou=Finance,ou=MBA,ou=AR,dc=upmc.fr” and filter=“uid=B” R. : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr If you find at least one result, this is because the target and the actor are registered in the same diploma. That’s it ! UPMC – Relation example

And now the AACL expression : - take Actor RDN “uid=$authorRDN” - look at the RDN in the ou=AR, dc=upmc.fr search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”) - get two levels up sup(search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”), 2) - look at the Target RDN search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) UPMC – AACL example

We have the relationship between the author and the target : relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) Now we need to precise on which attribute(s) we want to use this relation : attribute: uid attribute: cn attribute: mail attribute: telephoneNumber And then we need to precise the type of access allowed : rights: r A optional description : description: give the right to students in the same diploma to see themselves UPMC – AACL complete example

And now the corresponding AACL LDAP entry : dn: cn=1, ou=ACL, dc=upmc.fr cn: 1 objectClass: aacls objectClass: top relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) attribute: uid attribute: cn attribute: mail attribute: telephoneNumber rights: r description: give the right to students in the same diploma to see themselves UPMC – AACL ldif entry

Licensing This backend (source code and documentation) is released under GPL license. This backend is designed specifically for OpenLDAP Software but is not a product of the OpenLDAP Project. OpenLDAP is a registered trademark of the OpenLDAP Foundation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.