[Serusers] SER and LDAP

Jan Janak jan at iptel.org
Thu Nov 10 17:09:41 CET 2005


I am no LDAP expert, but I would like to propose that we do group
membership checking in SER instead (in the configuration file).

other authentication modules (radius and database) make it possible to
load a set of name-value pairs during authentication. Those pairs will
be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety
of functions to process them.

Thus we could have an attribute named "Group" which will contain all
groups the user belongs to. So, in my opinion, all that the LDAP
authentication module has to do is to verify the authenticity of the
user and return a set of attributes associated with the authententicated
user.

What do you think ? This way we can have group checking independent of
the authentication method. You could also store additional data
atttributes in LDAP that can be later used by SER, such as call forwarding
rules (call forward on busy, call forward on no answer, and so on).

  Jan.

On 10-11-2005 16:47, Arek Bekiersz wrote:
> Jan,
> 
> 
> As I said to Greger, there are many many changes that will have to be 
> made to the module. But as they will be going on parallel to my current 
> work, I hope I can correct them quickly. If I find time to actually DO 
> my current work.
> 
> Imagine group handling - I made a wrong design requirement, I've put 
> group membership inside every Ldap object. That is: if somebody is 
> member of some group, he has special attribute (let's say 'memberOf') 
> set to name of this group.
> 
> This is wrong, as proper approach is to have groupOfNames (or 
> groupOfUniqueNames) object and just put DN's of members into this. That 
> is for example how LDAP groups are used in Radius, when working with 
> LDAP backend...
> 
> 
> ... but according to Greger V.Teigre there is an issue with groupOfNames 
> (thanks Greger). Some LDAP servers do not have built-in functions for 
> efficiently checking group membership (i.e. OpenLDAP). We will have to 
> make sure that the future implementation of group check algorithm will 
> works across LDAP servers.
> 
> What is more, from my experience I know we could have schema violations 
> in some users when using empty 'groupOfNames' (without any 'member' 
> attribute value - like if group has no members :-) ). This attribute is
> mandatory according to various schemas. However it is perfectly possible 
> to enter empty value inside 'member' attribute'.
> 
> 
> So as you see plenty of work is to be done.
> 
> 
> --
> Arek
> 
> 
> Jan Janak wrote:
> >Great, I am looking forward to it and hopefuly we can get it to the main
> >tree soon.
> >
> >  Jan.




More information about the sr-users mailing list