Title: Groups in the Electronic Directory:
1Groups in the Electronic Directory
- Requirements
- Provision group memberships into our electronic
directory where they can be used by applications
such as Oracle Calendar and our own CUWebAuth - Preserve Group Membership read access
- No requirement to make the names of the groups
anonymously available from the electronic
directory
2Groups Directory
dc authz, dc cornell, dc edu
objectclass cornelledugroup attribute
cornellgroupreadpriv objectclass
edumember attribute hasmember objec.
.
ou groups
.
.
cn cit.adsm.backline cornelledugroupreadprivbac
klineAppBindDN hasmemberse10_at_cornell.edu
pb10_at_cornell.edu
cn cit.adsm cornelledugroupreadprivGrouperAll h
asmemberjv11_at_cornell.edu
jtp5_at_cornell.edu
.
.
.
.
.
.
3ACIs on Groups Directory
- Allow read access to hasMember for anyone if
cornelledugroupreadprivGrouperAll - Allow read access to hasMember for bindDNs which
have authenticated to the directory and are also
in the cornelledugroupreadpriv attribute for the
group - Allow read and write access to hasMember for the
bindDN of the Grouper LDAP Provisioning Connector - And other special cases
-
4Example Setting up a Group
- User jv11 creates a group called cit.staff
with anonymous membership read turned off
(Grouper UI) - She adds members to the group (Grouper UI)
- She also gives the application ID called
myAppBindDN membership read privileges (Grouper
UI) - The LDAP Provisioning connector writes the group
cit.staff to the groups directory, and
populates hasMember - A future version of the LDAP Provisioning
Connector (or a homemade script) populates the
cornelledugroupreadpriv attribute for the
cit.staff group in the directory
5Example an application wants to read the
hasMember attribute for a group called
cit.staff
- Application binds to the directory as
cnmyAppBinddn, ouserviceids, dcauthz,
dccornell, dcedu - Application asks for hasMember attribute of
group cit.staff - Directory returns hasMember is returned IF
- CornelledugroupreadprivGrouperAll for
cit.staff (false) - OR
- CornelledugroupreadprivmyAppBinddn for
cit.staff (true)
6Kerberos Authentication?
- Our applications use Kerberos authentication, not
LDAP - With our SunONE directory, we can set up
Kerberos5 authentication for the application DNs