Presentation is loading. Please wait.

Presentation is loading. Please wait.

AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university.

Published byLouise Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university."— Presentation transcript:

1 AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university Licensing and trademarks

2 LDAP Internal Server Email Server (POP) VPN Server Internet System Purpose Public LDAP Service : insecure and unauthenticated transfer of public information ??? Internal LDAP Service : Secured and authenticated transfer of private and public information

3 ACLACI ProCons - Simple - Time saving - Static - Limited ProCons - Powerful - Dynamic - Complex - Time consuming Each object gets its ACLs to control its access rights. But with N entries with P attributes, the worst case will need N²*P ACI to control access to these entries. ACL are suitable for single entry right management but there’s no way to have dynamic rights management. Applications integration issue : information access control model

4 access to dn.exact="cn=My Group,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none access to dn.exact="cn=My Group3,ou=Groups,dc=example,dc=com“ attrs=member by dnattr=owner write by dnattr=member selfwrite by dn.regex="cn=[^,]+,ou=Apps,dc=example,dc=com" read by * none Two different groups need two ACL for the same rights and these ACL are written in the configuration file (slapd.conf) ACL example : simple but static

5 dn: uid=mccarthy,ou=people,l=dallas,o=acme uid: mccarthy givenName: Kevin sn: McCarthy cn: Kevin McCarthy mail: mccarthy@acmewidgets.com userPassword: foobar objectClass: top objectClass: person objectClass: openLDAPacl OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise admins,ou=groups,o=acme OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas admins,ou=groups,l=dallas,o=acme OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail;r,s,c;[all]#access-id#uid=user1,ou=people,l=dallas,o=acme OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all acme,ou=groups,o=acme These ACI need to be written in each entry. Modifying an access rule, would imply to modify all of the entries which are concerned ACI example : complex and misfit

6 AACLS have been created to fit to special needs about information management through a more powerful and simple system than ACI. The rights are managed through rules which are stored in the directory and dynamically analyzed. This system fits to a great number of cases and in particular when ACL and ACI are completely unable to operate. These cases are described by relations written in a simple but specific language. Complex relationships between entries are probably the most difficult cases and need to use all the power of the LDAP tree concept to be described. That’s why this model is useful for you if : - you are using a true tree structure – not a flat one ! - you need to manage information access rights with strict rules on a great number of entries - you are going to use your directory to share and control the access to public and private information. Because this model is very powerful, it is also very time consuming. That’s why the piece of code is only provided as a gateway. AACLS model

7 LDAP Internal Server Email Server (POP) VPN Server Internet ??? OK ! AACL gateways OK ! intranet, shared control systems System Purpose

8 The structure : - a flat tree with all personal data - trees representing the university schooling schema with aliases to link the people The constraint : By default nothing is readable. The need : Students which are in the same diploma need to “see” themselves UPMC Example

9 AACLPeoplePedagogic Tree.Administrative Registration Diploma families Diploma Teaching modules MBAMCS ManagementFinance MathFinance Links to people Actor Target relationship UPMC DIT

10 To explain, we need to consider some data examples : Actor (or author) personal DN : uid=A,ou=People,dc=upmc.fr Target personal DN : uid=B,ou=People,dc=upmc.fr Actor to Math module link : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr Target to Finance module link : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr UPMC – Data example

11 So the “human” relation : - take Actor RDN RESULT : uid=A - look at the RDN in the ou=AR, dc=upmc.fr OPERATION : search with base=“ou=AR, dc=upmc.fr” and filter=“uid=A” R. : uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr - get two levels up O. : sup(“uid=A,ou=Math,ou=Finance,ou=MBA,ou=AR,dc=upmc.fr”,2) R. : ou=Finance,ou=MBA,ou=AR,dc=upmc.fr - look at the Target RDN O. : search with base=“ou=Finance,ou=MBA,ou=AR,dc=upmc.fr” and filter=“uid=B” R. : uid=B,ou=Finance,ou=Finance,ou=MBA,ou=AR, dc=upmc.fr If you find at least one result, this is because the target and the actor are registered in the same diploma. That’s it ! UPMC – Relation example

12 And now the AACL expression : - take Actor RDN “uid=$authorRDN” - look at the RDN in the ou=AR, dc=upmc.fr search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”) - get two levels up sup(search(“ou=AR, dc=upmc.fr”, “uid=$authorRDN”), 2) - look at the Target RDN search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) UPMC – AACL example

13 We have the relationship between the author and the target : relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) Now we need to precise on which attribute(s) we want to use this relation : attribute: uid attribute: cn attribute: mail attribute: telephoneNumber And then we need to precise the type of access allowed : rights: r A optional description : description: give the right to students in the same diploma to see themselves UPMC – AACL complete example

14 And now the corresponding AACL LDAP entry : dn: cn=1, ou=ACL, dc=upmc.fr cn: 1 objectClass: aacls objectClass: top relation: search(sup(search(“ou=AR,dc=upmc.fr”,“uid=$authorRDN”),2), “uid=$targetRDN”) attribute: uid attribute: cn attribute: mail attribute: telephoneNumber rights: r description: give the right to students in the same diploma to see themselves UPMC – AACL ldif entry

15 Licensing This backend (source code and documentation) is released under GPL license. This backend is designed specifically for OpenLDAP Software but is not a product of the OpenLDAP Project. OpenLDAP is a registered trademark of the OpenLDAP Foundation

Download ppt "AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university."

Similar presentations

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.

Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
SIMI: ISO Perspective Al ISO CSU Northridge

SIMI: ISO Perspective Al ISO CSU Northridge
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
Understanding Active Directory

Understanding Active Directory
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.

16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
The EU DataGrid – Information and Monitoring Services The European DataGrid Project Team

The EU DataGrid – Information and Monitoring Services The European DataGrid Project Team
Directory Server Campus Booster ID: 351 www.supinfo.com Copyright © SUPINFO. All rights reserved OpenLDAP.

Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.
Introduce LDAP 张海鹏 2008-07-25. SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.

Introduce LDAP 张海鹏 SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.

SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
The Directory A distributed database Distributed maintenance.

The Directory A distributed database Distributed maintenance.

Similar presentations

Ads by Google