Highlighted
Absent Member.
Absent Member.
684 views

Restricting iFolder 3.2 users

Having set up and tested iFolder 3.2, I'm ready to start deploying it.
However, I'd like to make sure only named users can access the service.

All my users are in a hierarchy below ou=users,o=bcw. I'd like to
restrict iFolder so that only users in the eDirectory group
"iFolderUsers" in ou=users,o=bcw can access iFolder.

I tried adding cn=iFolderUsers,ou=users,o=bcw to the Search DN's in the
LDAP policy, but when searching for users this just returned all
users. Similarly, ou=iFolderUsers,ou=users,o=bcw in the DN's did the
same thing (occasionally throwing an Apache error in iManager as well).

I can leave the Search DN as ou=users,o=bcw, but all users are enabled
by default; I can disable them individually, but with 1000+ users this
isn't really an option. How can I best lock down iFolder?
Labels (1)
0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Re: Restricting iFolder 3.2 users

Kenny,

We simply create a group that contains all of the iFolder 3 users. Then
add the group to the server search context. This way you can have users
that share a context but are not necessarily in the same groups. You can
remove members from the group to control access.

Victor


Kenny Anderson wrote:
> Having set up and tested iFolder 3.2, I'm ready to start deploying it.
> However, I'd like to make sure only named users can access the service.
>
> All my users are in a hierarchy below ou=users,o=bcw. I'd like to
> restrict iFolder so that only users in the eDirectory group
> "iFolderUsers" in ou=users,o=bcw can access iFolder.
>
> I tried adding cn=iFolderUsers,ou=users,o=bcw to the Search DN's in the
> LDAP policy, but when searching for users this just returned all
> users. Similarly, ou=iFolderUsers,ou=users,o=bcw in the DN's did the
> same thing (occasionally throwing an Apache error in iManager as well).
>
> I can leave the Search DN as ou=users,o=bcw, but all users are enabled
> by default; I can disable them individually, but with 1000+ users this
> isn't really an option. How can I best lock down iFolder?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Restricting iFolder 3.2 users

On 2006-03-28 19:13:19 +0100, Victor Billings <vbillings@novell.com> said:

> Kenny,
>
> We simply create a group that contains all of the iFolder 3 users. Then
> add the group to the server search context. This way you can have users
> that share a context but are not necessarily in the same groups. You can
> remove members from the group to control access.
>
> Victor



If I understand you correctly, I've already done this - I created an
eDirectory group and put "cn=iFolderUsers,o=bcw" (and tried
"ou=iFolderUser,o=bcw" too) in the "Search DNs" in the LDAP server. Any
time I search for users, I get every user name returned instead of just
those in the group, and any user can also log in and use iFolder.

What am I doing wrong?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Restricting iFolder 3.2 users

Kenny Anderson wrote:
> On 2006-03-28 19:13:19 +0100, Victor Billings <vbillings@novell.com> said:
>
>> Kenny,
>>
>> We simply create a group that contains all of the iFolder 3 users. Then
>> add the group to the server search context. This way you can have users
>> that share a context but are not necessarily in the same groups. You can
>> remove members from the group to control access.
>>
>> Victor

>
>
> If I understand you correctly, I've already done this - I created an
> eDirectory group and put "cn=iFolderUsers,o=bcw" (and tried
> "ou=iFolderUser,o=bcw" too) in the "Search DNs" in the LDAP server. Any
> time I search for users, I get every user name returned instead of just
> those in the group, and any user can also log in and use iFolder.
>
> What am I doing wrong?
>


bump?
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Restricting iFolder 3.2 users

Kenny,

I tried duplicating this in my lab, and I inadvertantly ran into a
condition that I wonder if you have also uncovered. I have a container
that holds all of my user objects, previously I had added this container
as a search context. Within that container I created another ou with a
group object and a couple of users in it. Then I added the group object
to the search context. I added only some of the users to the group while
leaving some out.

Then I did a roster sync. To my surprise, all of the users in the
subcontainer were added to the roster rather than just the users in the
group. It wasn't until later that I realized that I had a search context
that was higher in the tree that was traversing down and getting
everyone in my group as well as those that were not in the group but in
the same container.

Is this what is happening to you?

The other thing that might be complicating this is that as of sp2 the
process for deleting users from the roster was changed slightly. There
was an unrelated defect found where an incomplete ldap sync would
inadvertantly delete users from the roster and orphan all of their
ifolders. In order to combat this, when the roster detected that a user
was gone from ldap instead of performing a delete like it used to, it
now marks the user as disabled for a period of five days instead of
immediately deleting the user. Thus making it much easier to recover
from an inadvertant ldap delete of a roster user.

The side effect of this fix is that when you change the search cn's you
will not immediately see this change reflected in the roster after you
do an ldap sync. So when you do a user search, those users that you have
excluded from ldap search context will still be ifolder users for a
period of five days. However, if you look under the user search under
Enable/Disable Users account, you will see that those users that were
previously added are now marked as disabled. In five days, those users
will be deleted from the roster and their iFolders will be orphaned and
assigned automatically to the iFolder admin.

All this being said, after messing around with this for a while I was
able to verify that adding users to a group object works to exclude
those users that are not in the group object. This is actually how
Novell IT provisions iFolder 3.


Victor


Kenny Anderson wrote:
> Kenny Anderson wrote:
>
>> On 2006-03-28 19:13:19 +0100, Victor Billings <vbillings@novell.com>
>> said:
>>
>>> Kenny,
>>>
>>> We simply create a group that contains all of the iFolder 3 users. Then
>>> add the group to the server search context. This way you can have users
>>> that share a context but are not necessarily in the same groups. You can
>>> remove members from the group to control access.
>>>
>>> Victor

>>
>>
>>
>> If I understand you correctly, I've already done this - I created an
>> eDirectory group and put "cn=iFolderUsers,o=bcw" (and tried
>> "ou=iFolderUser,o=bcw" too) in the "Search DNs" in the LDAP server.
>> Any time I search for users, I get every user name returned instead of
>> just those in the group, and any user can also log in and use iFolder.
>>
>> What am I doing wrong?
>>

>
> bump?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.