[Fedora-directory-users] Ideas for fds
jclowser at unitedmessaging.com
jclowser at unitedmessaging.com
Mon Jun 13 14:41:01 UTC 2005
David Boreham wrote:
>
>> From what I remember, that vpn server searched for the users dn in
>> uniquemember to find a template entry, and the above is what it is
>> expecting to find. How would I set up Roles and CoS entries that
>> would work without changing the app (is that possible)? Can I set up
>> Roles/CoS that would populate the uniquemember attribute of the
>> vpntemplate entry? Is that searchable (if I remember correctly,
>> early versions of CoS didn't allow you to search on cos populated
>> attributes, later versions might have, and I'm not sure where in that
>> line FDS is).
>
> Yeah, I don't know about this. I was more interested in the semantics
> of the
> checkpoint application behavior, which I think are easily implemented
> with
> role-based cos (the end result is that the user entry has the
> necessary vpn
> cruft on it directly, with no need to indirect to the template entry
> at the client end).
>
> If an existing application can be made to simply fetch its per-user
> parameters
> from attributes on the user's entry , then roles/cos will work fine.
The problem lies in what happens if the user is part of multiple
templates. For example, one template may say I can access host 1 and 2
from 9am to 5pm, and another template may say I can access host 3 (no
time specification, so any time), etc. If I use roles to merge all the
values from all these templates into the users entry, I may get
something like host 1, 2, and 3 are allowed only from 9am-5pm, depending
on how the templates are organized/defined by the vendor, which is
different from what I had intended. FWIW, as I remember it, the
checkpoint product did allow these in the users entry, and I think it
broke if a user was actually part of more than one template, but I was
trying to speak generically vs a particular product :).
> Just to be clear: I don't expect (nor require) that there are any
> applications that 'support' roles. All the applications need to do
> is to support regular ldap attributes on the user entries.
Sorry - bad wording on my part. When I say "support roles", that
includes the case where I can read the info from the users entry as you
specified. I think it just comes down to being creating in the use of
roles, and in some cases, nothing will help.
- Jeff
More information about the 389-users
mailing list