Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 90092 invoked from network); 23 Dec 2006 23:00:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 23 Dec 2006 23:00:09 -0000 Received: (qmail 56775 invoked by uid 500); 23 Dec 2006 23:00:16 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 56559 invoked by uid 500); 23 Dec 2006 23:00:16 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 56541 invoked by uid 99); 23 Dec 2006 23:00:16 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 23 Dec 2006 15:00:15 -0800 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: 212.27.42.36 is neither permitted nor denied by domain of elecharny@gmail.com) Received: from [212.27.42.36] (HELO smtp6-g19.free.fr) (212.27.42.36) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 23 Dec 2006 15:00:04 -0800 Received: from [192.168.0.1] (vol75-3-82-66-216-176.fbx.proxad.net [82.66.216.176]) by smtp6-g19.free.fr (Postfix) with ESMTP id C5AA6433EA for ; Sat, 23 Dec 2006 23:59:43 +0100 (CET) Message-ID: <458DB4DF.9000101@gmail.com> Date: Sat, 23 Dec 2006 23:59:43 +0100 From: Emmanuel Lecharny Reply-To: elecharny@iktek.com User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: fr, en MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: Triplesec... storing permissions in ldap References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org David Jencks a �crit : > Right now triplesec is basically using strings as permissions, and > they are stored as multi-valued attributes like so: > > objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.203 NAME 'policyRole' > SUP top > AUXILIARY > MUST ( roleName ) > MAY ( grants $ denials $ description ) ) > > objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.204 NAME 'policyProfile' > SUP top > AUXILIARY > MUST ( profileId $ user ) > MAY ( grants $ denials $ roles $ userPassword $ description $ > safehausDisabled ) ) > > > or as a bit of ldif: > > dn: > roleName=mockRole5,ou=roles,appName=mockApplication,ou=applications,dc=e > xample,dc=com > objectClass: top > objectClass: policyRole > grants: mockPerm9 > grants: mockPerm7 > grants: mockPerm5 > grants: mockPerm4 > denials: mockPerm6 > roleName: mockRole5 > > (this includes my local modification so roles can have denials). > > After looking around at java.security.Permissions I think we can > store 99% of them with 3 strings: > className > permissionName > action > > and possibly depending on how ldap datamodels work > grant/deny > > Within a role or profile, these 3 or 4 strings are needed to get a > unique permission. > > I've been trying to learn about ldap schemas, the data model, ldif, > etc by figuring out how to fit this info into ldap but I'm pretty > bewildered and maybe someone with non-zero experience could review > and improve my suggestion below or suggest how to proceed. > > It looks to me as if one way to proceed would be to have the > className with permissionNames grouped under each labelled grant or > deny, then with the actions as attributes on the permission. Does > the following schema do this? > > attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.abc > NAME 'action' > DESC 'action for a permission' > EQUALITY caseExactMatch > SUBSTR caseExactSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > > objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.abc NAME 'className' > SUP top > AUXILIARY > > objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.def NAME 'grant' > SUP top > AUXILIARY > MAY ( action ) > > objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.ghi NAME 'deny' > SUP top > AUXILIARY > MAY ( action ) > > I'm imagining a dn something like > > grant=/servlet/ > *,permissionClass=javax.security.jacc.WebResourcePermission,roleName=peo > n,applicationName=foo,.... > > with attributes like > action=POST,GET > action=INDEX > > Some of my other questions are... AUXILIARY or STRUCTURAL? Well, not easy... AUXILIARY is use for ObjectClasses that extends a SRUCTURAL ObjectClass. Entries should implement a STRUCTURAL ObjectClass. You are not supposed to instanciate an AUXILIARY ObjectClass. So, basically, STRUCTURAL if you want to instanciate entries from it. > What if anything ties the object classes together in a tree, so e.g. > grant and deny occur "inside" className? Should there be MAY ( grant > $ deny) in the className objectclass? If Grant and Deny are ObjectClass, they can't be declared in MAY or MUST, becuase MAY and MUST only contains attributes, not ObjectClasses > The actions and possibly the grant/deny are likely to have lots of > bizarre punctuation, such as the commas in the example above. How > does one deal with that in ldap? It depends. Just pick the syntax that best fit your needs, and here, it should be something like IA5String, OctetString or PrintableString. You have a list of all syntaxes here : http://cwiki.apache.org/confluence/display/DIRxSRVx11/Schema+Checking. If you have commas, you will have to escape them using \ in a DN. You can also use " " around the dn to avoid escaping special chars like , and + and ; > > Many thanks for any help, and I hope this isn't too much of a user > list question :-) np, and I hope it helps :) > > thanks > david jencks > > > > > > >