Presentation is loading. Please wait.

Presentation is loading. Please wait.

Groups in the Electronic Directory:

Published byKatherine Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Groups in the Electronic Directory:"— Presentation transcript:

1 Groups in the Electronic Directory:
Requirements: Provision group memberships into our electronic directory where they can be used by applications such as Oracle Calendar and our own CUWebAuth Preserve Group Membership read access No requirement to make the names of the groups anonymously available from the electronic directory We looked at making all groups have anonymously available membership, but there were some good examples of groups that had a good reason to keep their membership lists restricted to only a few people/applications.

2 . . . Groups Directory . . . . . . dc = authz, dc = cornell, dc = edu
objectclass = cornelledugroup attribute = cornellgroupreadpriv objectclass = edumember attribute = hasmember objec…. . ou = groups . . cn = cit.adsm.backline cornelledugroupreadpriv:backlineAppBindDN cn = cit.adsm cornelledugroupreadpriv:GrouperAll . . . . . .

3 ACIs on Groups Directory
Allow read access to hasMember for anyone if cornelledugroupreadpriv=GrouperAll Allow read access to hasMember for bindDNs which have authenticated to the directory and are also in the cornelledugroupreadpriv attribute for the group Allow read and write access to hasMember for the bindDN of the Grouper LDAP Provisioning Connector And other special cases… A value of GrouperAll means anyone can look at the group membership

4 Example: Setting up a Group
User “jv11” creates a group called “cit.staff” with anonymous membership read turned off (Grouper UI) She adds members to the group (Grouper UI) She also gives the application ID called “myAppBindDN” membership read privileges (Grouper UI) The LDAP Provisioning connector writes the group “cit.staff” to the groups directory, and populates hasMember A future version of the LDAP Provisioning Connector (or a homemade script) populates the cornelledugroupreadpriv attribute for the cit.staff group in the directory

5 Example: an application wants to read the “hasMember” attribute for a group called “cit.staff”
Application binds to the directory as cn=myAppBinddn, ou=serviceids, dc=authz, dc=cornell, dc=edu Application asks for “hasMember” attribute of group “cit.staff” Directory returns “hasMember” is returned IF Cornelledugroupreadpriv=GrouperAll for “cit.staff” (false) OR Cornelledugroupreadpriv=myAppBinddn for “cit.staff” (true)

6 Kerberos Authentication?
Our applications use Kerberos authentication, not LDAP With our SunONE directory, we can set up Kerberos5 authentication for the application DNs

Download ppt "Groups in the Electronic Directory:"

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
Grouper Training Developers and Architects LDAP Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0.

Grouper Training Developers and Architects LDAP Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
PHP Modules LDAP and MySQL. External Functions In addition to the usual programming functions (arrays, date and time, typing, mathematical, etc), PHP.

PHP Modules LDAP and MySQL. External Functions In addition to the usual programming functions (arrays, date and time, typing, mathematical, etc), PHP.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Princeton University The Cast Dan Oberst, Director of OIT Enterprise Services…………Big Hat: No Cattle Donna Tatro, Manager of Collaboration Services………….Makes.

Princeton University The Cast Dan Oberst, Director of OIT Enterprise Services…………Big Hat: No Cattle Donna Tatro, Manager of Collaboration Services………….Makes.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.

Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.

Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.
Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.
Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer UW Windows Infrastructure.

Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer UW Windows Infrastructure.
Grouper Training End Users Admin UI – Part 6 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.

Grouper Training End Users Admin UI – Part 6 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.

Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006.

Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.

Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.

Similar presentations

Ads by Google