11 Nov
2005
11 Nov
'05
2:32 a.m.
Only usage will show what people really use...
I suggest that the ldap_is_user_in function is used for now (which is
basically what is used for sql and radius). However, I suggest adding a
parameter that will control whether an "attribute in object" or
"groupOfNames" search is done
(modparam("ldap","group_method","1/0") ).
Using the "attribute in object" approach is not exploiting the efficiency of
LDAP as a directory server (and provisioning of an account in a group
requires touching the account). Using groupOfNames (with an LDAP server
having implemented an efficient lookup functionality) combines speed with
data model soundness.
g-)
----- Original Message -----
From: "Arek Bekiersz" <sip(a)perceval.net>
To: "Jan Janak" <jan(a)iptel.org>
Cc: <serusers(a)lists.iptel.org>
Sent: Thursday, November 10, 2005 5:23 PM
Subject: Re: [Serusers] SER and LDAP
Jan,
This is how I do it now. Consider this fragment of my cfg that I use on
daily basis:
# Busy redirection
if( p_ldap_is_user_in("Request-URI", "divert_busy") ) {
xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" );
setflag(4);
};
I was just proposing to change group handling in particular - that is: to
migrate from storing Group in User profile to storing Users (their DNs) in
Groups.
Generally functions present in module can be used to verify the
authenticity of the user or group membership. Other functions return a
state of specific attribute (like boolean group membership above) or
process SIP request according to specific attribute value (like prefix
functions or alias functions).
The thing I was discussing with Greger is that not all functions are
meaningful for everybody; some of them were developed for specific
purposes and generally no one will find them useful...
However I have decided to leave them for historical reasons as I can
imagine somebody could use them, possibly after modifications.
So I have nothing against developing a <new> set of more <generic>
functions. To be discussed.
--
Arek
Jan Janak wrote:
I am no LDAP expert, but I would like to propose
that we do group
membership checking in SER instead (in the configuration file).
other authentication modules (radius and database) make it possible to
load a set of name-value pairs during authentication. Those pairs will
be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety
of functions to process them.
Thus we could have an attribute named "Group" which will contain all
groups the user belongs to. So, in my opinion, all that the LDAP
authentication module has to do is to verify the authenticity of the
user and return a set of attributes associated with the authententicated
user.
What do you think ? This way we can have group checking independent of
the authentication method. You could also store additional data
atttributes in LDAP that can be later used by SER, such as call
forwarding
rules (call forward on busy, call forward on no answer, and so on).
Jan.
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers