[clue] Filesystems + LDAP permissions???

foo7775 at comcast.net foo7775 at comcast.net
Fri Sep 23 08:04:57 MDT 2016 

Thank you for the reply Chris, that definitely gives me some food for thought. I'm forwarding your message to my work address, & I hope to discuss that with the architect directing the effort if he's able to meet with me today. The schema *is* the rfc20307bis type, so that opens some possibilities as you've mentioned. Also, I completely agree with your statement "It does not often work out well to map linux layer access controls to web layer access rules" but I'm not making the decisions. 

T. 
----- Original Message -----

From: "Chris Fedde" <chris at fedde.us> 
To: "CLUE's mailing list" <clue at cluedenver.org> 
Sent: Monday, September 19, 2016 3:57:20 PM 
Subject: Re: [clue] Filesystems + LDAP permissions??? 

I'm a bit confused by this discussion. As long as we are talking about ext4fs type file systems then it does not much care what name is associated with a files uid/gid. ACL are attributes of the file system. They are stored in inodes along with normal permissions. Of course you can play all kinds of nifty tricks in LDAP with usernames and group names as well as with group membership. Especially if rfc2307bis schema are enabled. 

Then of course you can teach the automounter to play even more interesting tricks with access when you store maps in LDAP. 

If it were me I'd model the file system access permissions at the configuration management system layer. Then use groups to slice and dice users over the access. 
If course I might be looking for more information. It does not often work out well to map linux layer access controls to web layer access rules. 

chris 

On Sat, Sep 17, 2016 at 9:40 AM, Andrew Diederich < andrewdied at gmail.com > wrote: 



Have you been able to get him to walk through some scenarios? A lot of time management'll say some words that map techie words, and that's not what they mean. If you can get him to tell you how he thinks it works, who uses it, who would be forbidden, that may be the trick you need. "Requirements" scare them some times, but "oh, I want marketing to be able to develop their new plan without dev seeing it, or HR just needs to have personal records without seeing it, and salary info is just managers and HR." 

-- 
Andrew Diederich 
andrewdied at gmail.com 

On Thu, Sep 15, 2016 at 10:47 PM, < foo7775 at comcast.net > wrote: 

<blockquote>

Hey all, I appreciate the responses/discussion, I have a little bit more to think about now. You are correct, this is a local filesystem that I'm working with. And if I'm interpreting my boss correctly, I think that the solution that he has in mind is not as involved as implementing Kerberos. 

One thing that I've started to wonder about - would it be easier to utilize LDAP permissions if I provided access to the filesystem via a web interface?? Just thinking out loud here (OK, "grasping for straws" might be a more-appropriate phrase...) 

I'd be glad to hear anyone else's thoughts on this as well... 

Thanks again! 


From: "Dan Kulinski" < daniel at kulinski.net > 
To: "CLUE's mailing list" < clue at cluedenver.org > 
Sent: Wednesday, September 14, 2016 11:08:49 AM 
Subject: Re: [clue] Filesystems + LDAP permissions??? 


Raymond, 

Good point on the local filesystem, I was under a bad assumption that this was a network file system. You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed. 

You are absolutely correct about an IPA type of setup for this. 

Thanks, 
Dan 

On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo < rderoo at deroo.net > wrote: 

<blockquote>
Dan, 

> Generally NFSv4 can be configured to use kerberos for authorization. This can be used in conjunction with LDAP accounts. 

This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses… 

Now I’m even more interested in what the file solution looks like. 

Kind regards, 
Raymond 

_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 





_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 


_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 

</blockquote>



_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 

</blockquote>



_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20160923/93ff65af/attachment-0001.html

More information about the clue mailing list