[Fedora-directory-users] Ideas for fds

jclowser at unitedmessaging.com jclowser at unitedmessaging.com
Mon Jun 13 14:41:01 UTC 2005 

David Boreham wrote:

>
>> From what I remember, that vpn server searched for the users dn in 
>> uniquemember to find a template entry, and the above is what it is 
>> expecting to find.  How would I set up Roles and CoS entries that 
>> would work without changing the app (is that possible)?  Can I set up 
>> Roles/CoS that would populate the uniquemember attribute of the 
>> vpntemplate entry?  Is that searchable (if I remember correctly, 
>> early versions of CoS didn't allow you to search on cos populated 
>> attributes, later versions might have, and I'm not sure where in that 
>> line FDS is).
>
> Yeah, I don't know about this. I was more interested in the semantics 
> of the
> checkpoint application behavior, which I think are easily implemented 
> with
> role-based cos (the end result is that the user entry has the 
> necessary vpn
> cruft on it directly, with no need to indirect to the template entry 
> at the client end).
>
> If an existing application can be made to simply fetch its per-user 
> parameters
> from attributes on the user's entry , then roles/cos will work fine.

The problem lies in what happens if the user is part of multiple 
templates.  For example, one template may say I can access host 1 and 2 
from 9am to 5pm, and another template may say I can access host 3 (no 
time specification, so any time), etc.  If I use roles to merge all the 
values from all these templates into the users entry, I may get 
something like host 1, 2, and 3 are allowed only from 9am-5pm, depending 
on how the templates are organized/defined by the vendor, which is 
different from what I had intended.  FWIW, as I remember it, the 
checkpoint product did allow these in the users entry, and I think it 
broke if a user was actually part of more than one template, but I was 
trying to speak generically vs a particular product :).

> Just to be clear: I don't expect (nor require) that there are any
> applications that 'support' roles. All the applications need to do
> is to support regular ldap attributes on the user entries.

Sorry - bad wording on my part.  When I say "support roles", that 
includes the case where I can read the info from the users entry as you 
specified.  I think it just comes down to being creating in the use of 
roles, and in some cases, nothing will help.

 - Jeff

More information about the 389-users mailing list