Groups in the Electronic Directory: - PowerPoint PPT Presentation

1 / 6
About This Presentation
Title:

Groups in the Electronic Directory:

Description:

Example: an application wants to read the 'hasMember' attribute for a group called 'cit.staff' ... Application asks for 'hasMember' attribute of group 'cit.staff' ... – PowerPoint PPT presentation

Number of Views:13
Avg rating:3.0/5.0
Slides: 7
Provided by: tomparkerj
Learn more at: http://www.internet2.edu
Category:

less

Transcript and Presenter's Notes

Title: Groups in the Electronic Directory:


1
Groups in the Electronic Directory
  • Requirements
  • Provision group memberships into our electronic
    directory where they can be used by applications
    such as Oracle Calendar and our own CUWebAuth
  • Preserve Group Membership read access
  • No requirement to make the names of the groups
    anonymously available from the electronic
    directory

2
Groups Directory
dc authz, dc cornell, dc edu
objectclass cornelledugroup attribute
cornellgroupreadpriv objectclass
edumember attribute hasmember objec.
.
ou groups
.
.
cn cit.adsm.backline cornelledugroupreadprivbac
klineAppBindDN hasmemberse10_at_cornell.edu
pb10_at_cornell.edu
cn cit.adsm cornelledugroupreadprivGrouperAll h
asmemberjv11_at_cornell.edu
jtp5_at_cornell.edu
.
.
.
.
.
.
3
ACIs on Groups Directory
  • Allow read access to hasMember for anyone if
    cornelledugroupreadprivGrouperAll
  • Allow read access to hasMember for bindDNs which
    have authenticated to the directory and are also
    in the cornelledugroupreadpriv attribute for the
    group
  • Allow read and write access to hasMember for the
    bindDN of the Grouper LDAP Provisioning Connector
  • And other special cases

4
Example Setting up a Group
  • User jv11 creates a group called cit.staff
    with anonymous membership read turned off
    (Grouper UI)
  • She adds members to the group (Grouper UI)
  • She also gives the application ID called
    myAppBindDN membership read privileges (Grouper
    UI)
  • The LDAP Provisioning connector writes the group
    cit.staff to the groups directory, and
    populates hasMember
  • A future version of the LDAP Provisioning
    Connector (or a homemade script) populates the
    cornelledugroupreadpriv attribute for the
    cit.staff group in the directory

5
Example an application wants to read the
hasMember attribute for a group called
cit.staff
  • Application binds to the directory as
    cnmyAppBinddn, ouserviceids, dcauthz,
    dccornell, dcedu
  • Application asks for hasMember attribute of
    group cit.staff
  • Directory returns hasMember is returned IF
  • CornelledugroupreadprivGrouperAll for
    cit.staff (false)
  • OR
  • CornelledugroupreadprivmyAppBinddn for
    cit.staff (true)

6
Kerberos Authentication?
  • Our applications use Kerberos authentication, not
    LDAP
  • With our SunONE directory, we can set up
    Kerberos5 authentication for the application DNs
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Groups in the Electronic Directory:" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!