RBAC and LDAP [message #352] |
Wed, 01 November 2006 17:42 |
dennisj
Messages: 4 Registered: November 2006 Location: Australia
|
Junior Member |
|
|
Hi,
I have just come across RADICORE and am not a coder but an IT administrator. I have searched the RADICORE and Marston sites, and the Forums for 'LDAP', but have found very few references.
LDAP is often used for something similar to RBAC, and many web applications implement some form of LDAP support for access and control.
What is the relationship between, or potential relationship between, RADICORE's Menu and Security sytem and a directory that implements an LDAP interface (such as Active Directory)?
Thanks
Dennis
|
|
|
Re: RBAC and LDAP [message #353 is a reply to message #352] |
Wed, 01 November 2006 18:08 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
I have never used LDAP, but from my understanding it is used to provide a single logon to multiple desktop systems.
The problem with a web application is that it only knows what the web browser sends it, and the web browser has no way of obtaining the client's LDAP details and sending them to the web server. There is no way that an application running on a web server has access to whatever LDAP system is being used on the client, so I think any relationship between Radicore and LDAP would not achieve anything useful.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
Re: RBAC and LDAP [message #354 is a reply to message #353] |
Thu, 02 November 2006 02:16 |
dennisj
Messages: 4 Registered: November 2006 Location: Australia
|
Junior Member |
|
|
Tony,
Thanks for the response.
I have minimal experience with LDAP and Web applications.
1/. Moodle http://moodle.org a php MySQL learning management system. If you turn on LDAP authentication, and point the Moodle application at your LDAP server, then, when a user clicks to logon, it takes the entered credentials and asks the LDAP server, over an LDAP connection, whether that user is allowed to proceed.
2/. An apache server can have the mod_auth_kerb module installed http://modauthkerb.sourceforge.net/ . "Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization." The Kerberos connection can talk to an LDAP server.
Because there is a bit of pressure to centralise identity and permissions management in an LDAP server, it would be great if there was some way for your security system to interact with LDAP.
As I said in my original post I'm not a coder. There is a general article here on this topic... http://www.list.gmu.edu/confrnc/ifip/i01-kluwer01-jpark.pdf
ROLE-BASED ACCESS CONTROL ON THE WEB USING LDAP
The abstract reads...
This paper gives a framework for how to leverage Lightweight Direc-
tory Access Protocol (LDAP) to implement Role-based Access Control
(RBAC) on the Web in the server-pull architecture. LDAP-based di-
rectory services have recently received much attention because they can
support object-oriented hierarchies of entries in which we can easily
search and modify attributes over TCP/IP. To implement RBAC on
the Web, we use an LDAP directory server as a role server that con-
tains users' role information. The role information in the role server is
referred to by Web servers for access control purposes through LDAP
in a secure manner (over SSL). We provide a comparison of this work
to our previous work, RBAC on the Web in the user-pull architecture.
Dennis
[Updated on: Thu, 02 November 2006 02:17] Report message to a moderator
|
|
|
Re: RBAC and LDAP [message #355 is a reply to message #354] |
Thu, 02 November 2006 04:47 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
The problem with this is that it requires software on the client which captures your logon credentials from the operating system so that it can be automatically passed to the web server when you enter the logon screen. That ability does not exist in any web browser, and I'm not sure if it can be done with javascript (which I do not use in Radicore), or whether it can only be done with an ActiveX control (which I also do not use n Radicore).
Even if I could use LDAP to provide a user's login identity I certainly would not use it as a replacement for my RBAC system. LDAP knows nothing of my user roles and tasks and knows nothing about assigning tasks to roles.
You may have read somewhere that using LDAP is "cool", but unless you know and understand the technicalities you will not realise that it also has its down side.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
Re: RBAC and LDAP [message #356 is a reply to message #355] |
Fri, 03 November 2006 04:56 |
dennisj
Messages: 4 Registered: November 2006 Location: Australia
|
Junior Member |
|
|
Tony, thanks for your response again.
I don't think I was suggesting a replacement of your RBAC system with LDAP, more suggesting something along the lines of using an LDAP server instead of an SQL server for the data that relates to users and roles. I think you mentioned that you have DAO's to facilitate Database independence for the RADICORE system. A custom DAO that talks LDAP not SQL -for user and role information- might theoretically be possible.
However, I can see that the question of assigning tasks to roles in LDAP would not necessarily be entirely straight forward.
Both Firefox and IE can access a user's desktop operating system logon credentials and use these to log on to remote (eg LDAP connected) servers. Some Mozilla documentation is here http://www.mozilla.org/projects/netlib/integrated-auth.html , and more tips here, http://www.cauldwell.net/patrick/blog/PermaLink,guid,c7f1e79 9-c4ae-4758-9de7-5c3e7a16f3da.aspx . I tested this today in Firefox, I set the network.automatic-ntlm-auth.trusted-uris setting to our Institute's Sharepoint server, and was able to log on with out being prompted for any further credentials, apart from the original OS logon.
But I think the main point here is not the single-sign-on sharing of operating system credentials, but the concentration of identity and role management in one place, an LDAP enabled server, so a large part of this identity data does not have to be duplicated in two different places.
Dennis
|
|
|
Re: RBAC and LDAP [message #357 is a reply to message #356] |
Fri, 03 November 2006 05:19 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
Radicore already has its own system for user authentication, user roles and access contol, and there would be no advantage in replacing this with one of many possible external LDAP alternatives. It would create more problems than its solves, therefore it is not something that I would want in my software.
LDAP may be "cool" but it is also impractical.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
Re: RBAC and LDAP [message #359 is a reply to message #358] |
Sun, 05 November 2006 16:49 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
Radicore requires that users, roles and permissions are stored in its own database tables, and the functionality that this provides cannot be duplicated with an external LDAP system. If implementing an LDAP interface means a loss of functionality then I'm afraid it is LDAP that would be shown the door.
If you absolutely need an LDAP interface then you could always get one of your own programmers to write one, but I wouldn't be prepared to guarantee the results.
When you consider all the other features that the Radicore framework has to offer, the lack of an LDAP interface is pretty insignificant.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
|
|
Re: RBAC and LDAP [message #1579 is a reply to message #1578] |
Wed, 27 August 2008 18:00 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
Importing user information from an LDAP database is not a viable option as the Radicore framework requires more information on each user than is held in the LDAP system. It is not possible to relpace to the contents of the MENU database with an LDAP database.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
Re: RBAC and LDAP [message #1586 is a reply to message #1585] |
Thu, 28 August 2008 15:08 |
AJM
Messages: 2373 Registered: April 2006 Location: Surrey, UK
|
Senior Member |
|
|
That doesn't sound practical to me. Not all entries in the LDAP system would necessarily be users in the Radicore application, so it would be easier to create users manually (as at present) than to build a new screen which lists new entries on the LDAP system and then allows the user to select which ones should be copied across. Besides, there is still information in the Radicore database that would still have to be entered manually as it does not exist in the LDAP system and therefore cannot be copied across.
Using an LDAP database in place of Radicore's MENU database simply won't work, so it won't happen.
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
|