tsherwin Absent Member.
Absent Member.
260 views

Limiting LDAP application authentication to a set of users


We are implementing a 3rd party application that can use eDir/LDAP for
authentication, but our challenge is around limiting what users can
access the app.

We can simply set the search base for the app to where our users are,
but then anyone has the capability to use the tool (something which is
strictly against the requirements because of licensing, etc.). Not all
users would use the tool, and they cross organizational boundaries
(associates, vendors, contractors) so nothing obvious sets them apart
(see below: the tool can't differentiate anyway - it's the whole OU or
nothing).

We're restricted for many reasons that our OU structure cannot change,
we obviously don't want second or generic accounts, and while we would
prefer not to add more custom attributes (to the many we already have)
specifically for this app to use, it cannot leverage them. We could
front it with Access Manager and require those attributes for
authentication, but non-web clients will use the tool.

What I'm considering is perhaps setting up aliases for the users in an
OU specific to the app, and limiting the app to that searchbase. The
second part would entail perhaps an IdM driver that would take a nrfRole
membership (we use RBPM) and based on that create the alias.

Any ideas or thoughts?
Thank you in advance.


--
tsherwin
------------------------------------------------------------------------
tsherwin's Profile: http://forums.novell.com/member.php?userid=38667
View this thread: http://forums.novell.com/showthread.php?t=449547

Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Limiting LDAP application authentication to a set of users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aliases are probably the best way to go, though setting up an LDAP tree
for this would be another way to do it and since you have IDM
synchronizing the two would be pretty trivial barring licensing concerns.

As long as we are covering all of the options you could statically
create these users in a tree for this application's authentications,
though that's not really better than manually creating the aliases you
need. Aliases are not great for performance but as long as you do not
have too many that may be the best way.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO5/BtAAoJEF+XTK08PnB57+UQALwNvjw35mhnTgB43p1lSDaX
aY74PavdEiqzf+OfT+cimj+gI95Ts893f1eAWmosc6LFumZdDfdFajJudPZRrvej
RVjgGqBjbA2Od+/c321PBCn0uN9NGy5My/P/Jd63F3ZDsXqit0XfuRjeDGvQHdt2
g5GevR3C6BPe8VlVCR90w1BIz/ZjzLdHd0XzXuzFz1o5cfHeyt1fqgruZ6pgVjj9
us1GyWn42n2xyaM06BgHO4ijZVzcDMFD2TaVg2po1NcnYp7YSAyoKCrMrucXd1CQ
4BIENvIciaFAXEzYLQ3vtHTZJHoA3BXoGBPtHetG4n2/G6uFRugWajKCODVvDn8R
M9QN+NpDWwIvl3J8J0uS0UVxRdbcWdz5PNwJZtsngn0mrZ0XxNS5/JGUj0Ppqbcs
XjK3MRDTrg5D+ZGBC1HVfyqTrnWaVx1Ckl/LGAiEnjA+9uiFSA14J+3R0MGL9Vq/
56k1MFuQmKjGifjVzEun0MBCRwHonnFs+UpzpF5L2hM1VYYSpDGjlxzroyYy55x8
r8pDEfiByBU6QgjuiO6qyJRZx0m1XUhFDksTlbNLMwrkgJ1PIsCVGJxU7gsS3a+J
7fGPiiZ6qSgWcZuQum+yf5S9P+R0Q5Z2LYmmNJ7mj8Xr2Eon4vnHGTn8O8YTj/35
gmcgjpGdFfZ6pZ2Rfbue
=mBt2
-----END PGP SIGNATURE-----
0 Likes
peterkuo Absent Member.
Absent Member.

Re: Limiting LDAP application authentication to a set of users


to my thinking, LDAP can't do it natively; you either need to do that at
the client app or have a front end filtering the incoming requests
(which means "like" doing it at the client app) ...


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=449547


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
Knowledge Partner
Knowledge Partner

Re: Limiting LDAP application authentication to a set of users

tsherwin wrote:

>
> We are implementing a 3rd party application that can use eDir/LDAP for
> authentication, but our challenge is around limiting what users can
> access the app.
>
> We can simply set the search base for the app to where our users are,
> but then anyone has the capability to use the tool (something which is
> strictly against the requirements because of licensing, etc.). Not
> all users would use the tool, and they cross organizational boundaries
> (associates, vendors, contractors) so nothing obvious sets them apart
> (see below: the tool can't differentiate anyway - it's the whole OU or
> nothing).
>
> We're restricted for many reasons that our OU structure cannot change,
> we obviously don't want second or generic accounts, and while we would
> prefer not to add more custom attributes (to the many we already have)
> specifically for this app to use, it cannot leverage them. We could
> front it with Access Manager and require those attributes for
> authentication, but non-web clients will use the tool.
>
> What I'm considering is perhaps setting up aliases for the users in an
> OU specific to the app, and limiting the app to that searchbase. The
> second part would entail perhaps an IdM driver that would take a
> nrfRole membership (we use RBPM) and based on that create the alias.


Can your app do a custom LDAP query? If so, you could maybe add an
additional attribute which requires to have a valueX. So for example a
filter could look like: (&(cn=userA)(attributeX=valueX)).


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.