<div dir="ltr">I'm a bit confused by this discussion. As long as we are talking about ext4fs type file systems then it does not much care what name is associated with a files uid/gid. ACL are attributes of the file system. They are stored in inodes along with normal permissions. Of course you can play all kinds of nifty tricks in LDAP with usernames and group names as well as with group membership. Especially if rfc2307bis schema are enabled.<div><div><br></div><div>Then of course you can teach the automounter to play even more interesting tricks with access when you store maps in LDAP.<br></div><div><br></div><div>If it were me I'd model the file system access permissions at the configuration management system layer. Then use groups to slice and dice users over the access. </div><div>If course I might be looking for more information. It does not often work out well to map linux layer access controls to web layer access rules.</div><div><div><div><br></div><div>chris</div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 17, 2016 at 9:40 AM, Andrew Diederich <span dir="ltr"><<a href="mailto:andrewdied@gmail.com" target="_blank">andrewdied@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Have you been able to get him to walk through some scenarios? A lot of time management'll say some words that map techie words, and that's not what they mean. If you can get him to tell you how he thinks it works, who uses it, who would be forbidden, that may be the trick you need. "Requirements" scare them some times, but "oh, I want marketing to be able to develop their new plan without dev seeing it, or HR just needs to have personal records without seeing it, and salary info is just managers and HR." <br><br><div><div class="gmail_extra">-- <br clear="all"><div><div data-smartmail="gmail_signature">Andrew Diederich<br><a href="mailto:andrewdied@gmail.com" target="_blank">andrewdied@gmail.com</a></div></div>
<br><div class="gmail_quote">On Thu, Sep 15, 2016 at 10:47 PM, <span dir="ltr"><<a href="mailto:foo7775@comcast.net" target="_blank">foo7775@comcast.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Arial;font-size:12pt;color:#000000"><div>Hey all, I appreciate the responses/discussion, I have a little bit more to think about now. You are correct, this is a local filesystem that I'm working with. And if I'm interpreting my boss correctly, I think that the solution that he has in mind is not as involved as implementing Kerberos.<br><br>One thing that I've started to wonder about - would it be easier to utilize LDAP permissions if I provided access to the filesystem via a web interface?? Just thinking out loud here <i>(OK, "grasping for straws" might be a more-appropriate phrase...)</i><br><br>I'd be glad to hear anyone else's thoughts on this as well...<br><br>Thanks again!<br></div><div><br></div><hr><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Dan Kulinski" <<a href="mailto:daniel@kulinski.net" target="_blank">daniel@kulinski.net</a>><br><b>To: </b>"CLUE's mailing list" <<a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a>><br><b>Sent: </b>Wednesday, September 14, 2016 11:08:49 AM<br><b>Subject: </b>Re: [clue] Filesystems + LDAP permissions???<div><div class="h5"><div><div><br><div><br></div><div dir="ltr"><div><div><div>Raymond,<br><div><br></div></div>Good point on the local filesystem, I was under a bad assumption that this was a network file system. You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed. <br><div><br></div>You are absolutely correct about an IPA type of setup for this. <br><div><br></div></div>Thanks,<br></div> Dan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo <span dir="ltr"><<a href="mailto:rderoo@deroo.net" target="_blank">rderoo@deroo.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dan,<br> <span><br> > Generally NFSv4 can be configured to use kerberos for authorization. This can be used in conjunction with LDAP accounts.<br> <br> </span>This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses…<br> <br> Now I’m even more interested in what the file solution looks like.<br> <br> Kind regards,<br> Raymond<br><div><div><br> ______________________________<wbr>_________________<br> clue mailing list: <a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a><br> For information, account preferences, or to unsubscribe see:<br> <a href="http://cluedenver.org/mailman/listinfo/clue" rel="noreferrer" target="_blank">http://cluedenver.org/mailman/<wbr>listinfo/clue</a><br></div></div></blockquote></div><br></div><br>______________________________<wbr>_________________<br>clue mailing list: <a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a><br>For information, account preferences, or to unsubscribe see:<br><a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/<wbr>listinfo/clue</a></div></div></div></div></div><div><br></div></div></div><div><div class="h5"><br>______________________________<wbr>_________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" rel="noreferrer" target="_blank">http://cluedenver.org/mailman/<wbr>listinfo/clue</a><br></div></div></blockquote></div><br></div></div></div>
<br>______________________________<wbr>_________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" rel="noreferrer" target="_blank">http://cluedenver.org/mailman/<wbr>listinfo/clue</a><br></blockquote></div><br></div>