[clue] Filesystems + LDAP permissions???

Chris Fedde chris at fedde.us
Mon Sep 19 15:57:20 MDT 2016


I'm a bit confused by this discussion.   As long as we are talking about
ext4fs type file systems then it does not much care what name is associated
with a files uid/gid.   ACL are attributes of the file system. They are
stored in inodes along with normal permissions.  Of course you can play all
kinds of nifty tricks in LDAP with usernames and group names as well as
with group membership.  Especially if rfc2307bis schema are enabled.

Then of course you can teach the automounter to play even more interesting
tricks with access when you store maps in LDAP.

If it were me I'd model the file system access permissions at the
configuration management system layer.  Then use groups to slice and dice
users over the access.
If course I might be looking for more information.  It does not often work
out well to map linux layer access controls to web layer access rules.

chris

On Sat, Sep 17, 2016 at 9:40 AM, Andrew Diederich <andrewdied at gmail.com>
wrote:

> Have you been able to get him to walk through some scenarios? A lot of
> time management'll say some words that map techie words, and that's not
> what they mean. If you can get him to tell you how he thinks it works, who
> uses it, who would be forbidden, that may be the trick you need.
> "Requirements" scare them some times, but "oh, I want marketing to be able
> to develop their new plan without dev seeing it, or HR just needs to have
> personal records without seeing it, and salary info is just managers and
> HR."
>
> --
> Andrew Diederich
> andrewdied at gmail.com
>
> On Thu, Sep 15, 2016 at 10:47 PM, <foo7775 at comcast.net> wrote:
>
>> Hey all, I appreciate the responses/discussion, I have a little bit more
>> to think about now.  You are correct, this is a local filesystem that I'm
>> working with.  And if I'm interpreting my boss correctly, I think that the
>> solution that he has in mind is not as involved as implementing Kerberos.
>>
>> One thing that I've started to wonder about - would it be easier to
>> utilize LDAP permissions if I provided access to the filesystem via a web
>> interface??  Just thinking out loud here *(OK, "grasping for straws"
>> might be a more-appropriate phrase...)*
>>
>> I'd be glad to hear anyone else's thoughts on this as well...
>>
>> Thanks again!
>>
>> ------------------------------
>> *From: *"Dan Kulinski" <daniel at kulinski.net>
>> *To: *"CLUE's mailing list" <clue at cluedenver.org>
>> *Sent: *Wednesday, September 14, 2016 11:08:49 AM
>> *Subject: *Re: [clue] Filesystems + LDAP permissions???
>>
>>
>> Raymond,
>>
>> Good point on the local filesystem, I was under a bad assumption that
>> this was a network file system.  You can support ACLs at the local file
>> system level but I don't know if they can be set to have kerberos based
>> security. At some point the LDAP user is mapped to a UID/GID (hopefully
>> based on a UNIX compatible LDAP schema) and using ACLs should grant the
>> protection needed.
>>
>> You are absolutely correct about an IPA type of setup for this.
>>
>> Thanks,
>>   Dan
>>
>> On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo <rderoo at deroo.net> wrote:
>>
>>> Dan,
>>>
>>> > Generally NFSv4 can be configured to use kerberos for authorization.
>>> This can be used in conjunction with LDAP accounts.
>>>
>>> This is my understanding as well, however in addition isn’t IPA also
>>> needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the
>>> OP, but I thought the desire was for the local file system. I support it
>>> would be possible to run NFS locally and then use LDAP/IPA to authenticate
>>> uses…
>>>
>>> Now I’m even more interested in what the file solution looks like.
>>>
>>> Kind regards,
>>> Raymond
>>>
>>> _______________________________________________
>>> clue mailing list: clue at cluedenver.org
>>> For information, account preferences, or to unsubscribe see:
>>> http://cluedenver.org/mailman/listinfo/clue
>>>
>>
>>
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>>
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20160919/4e397e64/attachment.html 


More information about the clue mailing list