| | 1 | 20081103 elm ISMEMBEROF and Associated Group Records |
| | 2 | |
| | 3 | isMemberOf is an attribute of the eduMember objectClass. The eduMember objectClass |
| | 4 | is granted to every ou=people directory record when created. isMemberOf is |
| | 5 | provisioned with individual group memberships that are in turn used by external |
| | 6 | applications to make authorization based decisions. |
| | 7 | |
| | 8 | isMemberOf values are expected to tie to ou=group records of the same name although |
| | 9 | there is currently no mechanism within the directory that forces that relationship. |
| | 10 | So, it is currently possible to provision an isMemberOf value that matches no |
| | 11 | group name. |
| | 12 | |
| | 13 | The mechanism by which ou=group records are created is the AUTHSERV Seed Group page: |
| | 14 | |
| | 15 | https://authserv.alaska.edu/cgi-bin/seed_group |
| | 16 | |
| | 17 | That CGI script creates both the directory group record as well as a registry |
| | 18 | record to track the group. |
| | 19 | |
| | 20 | The mechanism by which isMemberOf values are provisioned is presently ZUAUSR. |
| | 21 | However, ZUAUSR is an application that performs provisioning for administrative |
| | 22 | users which historically have been only employees and select vendors. |
| | 23 | |
| | 24 | If/when the use of group records and the isMemberOf attribute is extended to serve a |
| | 25 | population of non-employees, then other mechanisms for provisioning will need to be |
| | 26 | created. When that comes to pass, it is recommended that different consituent groups |
| | 27 | be protected from each other's activities by creating security objects that scope |
| | 28 | access to group record creation and isMemberOf provisioning. |
| | 29 | |
| | 30 | That can be accomplished as follows: |
| | 31 | |
| | 32 | 1) Create new EDIRrole values specific to particular applications/provisioning processes |
| | 33 | |
| | 34 | EDIRrole: groupAdmin<pattern> |
| | 35 | |
| | 36 | 2) Create new iPlanet roles specific to each new EDIRrole |
| | 37 | |
| | 38 | 3) Create ACIs tied to the new iPlanet roles in which the scope of the access |
| | 39 | is defined in a targattrfilters clause which limits access to group names |
| | 40 | beginning with <pattern> |
| | 41 | |
| | 42 | EXAMPLE: |
| | 43 | |
| | 44 | # EDIRrole value |
| | 45 | groupAdminAppA |
| | 46 | |
| | 47 | #iPlanet role |
| | 48 | dn: cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu |
| | 49 | objectclass: top |
| | 50 | objectclass: LDAPsubentry |
| | 51 | objectclass: nsRoleDefinition |
| | 52 | objectclass: nsComplexRoleDefinition |
| | 53 | objectclass: nsFilteredRoleDefinition |
| | 54 | cn: groupAdminAppARole |
| | 55 | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=groupAdminAppA)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0))) |
| | 56 | Description: filtered role for entities allowed to define groups and provision membership for AppA |
| | 57 | |
| | 58 | # ACI snippet for group record creation/deletion |
| | 59 | (targattrfilters="add=cn:(cn=appusers:AppA:*), del=cn:(cn=appusers:AppA:*)") |
| | 60 | allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip="137.229.9.17 || 137.229.9.68 || 137.229.9.71 || 137.229.9.75"));) |
| | 61 | |
| | 62 | |
| | 63 | # ACI snippet for isMemberOf updates |
| | 64 | (targattrfilters="add=isMemberOf:(isMemberOf=cn=appusers:AppA:*), del=isMemberOf:(isMemberOf=cn=appusers:AppA:*)") |
| | 65 | allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip="137.229.9.17 || 137.229.9.68 || 137.229.9.71 || 137.229.9.75"));) |
| | 66 | |
| | 67 | # pattern of group names and isMemberOf values to which ACIs apply |
| | 68 | cn=appusers:AppA:*,ou=group,dc=alaska,dc=edu |
| | 69 | |
| | 70 | |
| | 71 | In the example, the assumption is still that group and isMemberOf maintenance for |
| | 72 | AppA is being delegated to a univeristy employee who's account can be provisioned |
| | 73 | via ZUAUSR. If instead responsibility is to be delegated to an application, then |
| | 74 | the iPlanet role needs to be stuctured for use by ou=resource records. |
| | 75 | |
| | 76 | Should applications have a need to independently delgate group and isMemberOf |
| | 77 | maintenance for their own pattern of group names, then iPlanet roles should be created |
| | 78 | that rely on a specific **isMemberOf** values rather than EDIRrole values. Then who |
| | 79 | ever was granted a key isMemberOf value could in turn grant other users the same |
| | 80 | isMemberOf value, there by delgating group/isMemberOf maintenance authority. |
| | 81 | |
| | 82 | NOTE: EDIRrole values can not be used to facilitate delegation of delegated authority |
| | 83 | as only users with EDIRadmin can provision EDIRrole values and EDIRadmin will |
| | 84 | **NOT** be granted to individuals managing group/isMemberOf for specific applications. |
| | 85 | |
| | 86 | # eof |