Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

LDAP_GROUP_CHECK

LDAP_GROUP_CHECK {attr:<ATTRIBUTE>}{base:<BASE>}{filter:<FILTER>}

Where:

  • <ATTRIBUTE> is the group attribute to be checked (for example attr:member)
  • <BASE> is the LDAP base for the group membership search
  • <FILTER> is the LDAP filter for the group membership search

FairCom Server V11.5 and later are able to update the c-tree group membership records in FAIRCOM.FCS at logon. Because SQL permissions use the current group membership for a user account as stored in FAIRCOM.FCS, this ability makes it possible for SQL permissions to act on the current LDAP group membership for a user account that is authenticated using LDAP.

To use this feature, add this option in the SUBSYSTEM USER_AUTH LDAP block in ctsrvr.cfg.

Any errors encountered are logged to CTSTATUS.FCS.

Example 1:

The file faircom.ldif contains these domain, user, and group definitions:

# Domain

dn: dc=faircom,dc=com

objectClass: domain

objectClass: top

dc: faircom

# People

dn: ou=people,dc=faircom,dc=com

objectclass: top

objectclass: organizationalUnit

ou: people

description: Container for user entries

dn: cn=user1,ou=people,dc=faircom,dc=com

cn: user1

objectClass: person

sn: user1

dn: cn=user2,ou=people,dc=faircom,dc=com

cn: user2

objectClass: person

sn: user2

dn: cn=user3,ou=people,dc=faircom,dc=com

cn: user3

objectClass: person

sn: user3

dn: cn=user4,ou=people,dc=faircom,dc=com

cn: user4

objectClass: person

sn: user4

dn: cn=user5,ou=people,dc=faircom,dc=com

cn: user5

objectClass: person

sn: user5

# Groups

dn: ou=groups,dc=faircom,dc=com

objectClass: organizationalUnit

ou: groups

description: Container for group entries

dn: cn=dev,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: dev

description: Research and Development group

member: cn=user2,ou=people,dc=faircom,dc=com

member: cn=user3,ou=people,dc=faircom,dc=com

dn: cn=support,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: support

description: Technical Support group

member: cn=user1,ou=people,dc=faircom,dc=com

member: cn=user2,ou=people,dc=faircom,dc=com

member: cn=user3,ou=people,dc=faircom,dc=com

dn: cn=qa,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: qa

description: Product Testing group

member: cn=user1,ou=people,dc=faircom,dc=com

member: cn=user2,ou=people,dc=faircom,dc=com

member: cn=user3,ou=people,dc=faircom,dc=com

dn: cn=it,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: it

description: Information Technology group

member: cn=user4,ou=people,dc=faircom,dc=com

member: cn=user5,ou=people,dc=faircom,dc=com

dn: cn=ctreeisamusers,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: ctreeisamusers

description: c-tree ISAM Users

member: cn=user1,ou=people,dc=faircom,dc=com

member: cn=user2,ou=people,dc=faircom,dc=com

member: cn=user3,ou=people,dc=faircom,dc=com

member: cn=user4,ou=people,dc=faircom,dc=com

member: cn=user5,ou=people,dc=faircom,dc=com

dn: cn=ctreesqlusers,ou=groups,dc=faircom,dc=com

objectClass: groupOfNames

cn: ctreesqlusers

description: c-tree SQL Users

member: cn=user1,ou=people,dc=faircom,dc=com

member: cn=user2,ou=people,dc=faircom,dc=com

member: cn=user3,ou=people,dc=faircom,dc=com

member: cn=user4,ou=people,dc=faircom,dc=com

member: cn=user5,ou=people,dc=faircom,dc=com

# Applications

dn: ou=applications,dc=faircom,dc=com

objectclass: top

objectclass: organizationalUnit

ou: applications

description: Container for application entries

dn: cn=ctreesql,ou=applications,dc=faircom,dc=com

cn: ctreesql

objectClass: person

sn: ctreesql

Example 2:

The following LDAP configuration options in ctsrvr.cfg require LDAP authentication using an application ID of ctreesql, allow ISAM logons only from members of the ctreeisamusers group, allow SQL logons only from members of the ctreesqlusers group, and update the c-tree group definitions for a particular user ID at logon time based on that user ID's current LDAP group membership:

SUBSYSTEM USER_AUTH LDAP

{

LDAP_SERVER localhost

LDAP_TIMEOUT 10

LDAP_PREFIX cn=

LDAP_BASE ou=people,dc=faircom,dc=com

LDAP_APPLICATION_ID cn=ctreesql,ou=applications,dc=faircom,dc=com

LDAP_ISAM_ALLOWED_GROUP cn=ctreeisamusers,ou=groups,dc=faircom,dc=com

LDAP_SQL_ALLOWED_GROUP cn=ctreesqlusers,ou=groups,dc=faircom,dc=com

LDAP_GROUP_CHECK {attr:member}{base:ou=groups,dc=faircom,dc=com}{filter:(objectclass=groupOfNames)}

LDAP_PORT 389

LDAP_SSL NO

LDAP_KEY_STORE ldap.fkf

}

When user3 successfully connects to c-tree Server, the user3 user account and groups to which user3 belongs are added to FAIRCOM.FCS:

User Id User Description (Groups)

------------ ------------------------------------

ADMIN ( ADMIN )

USER3 ( CTREEISAMUSERS CTREESQLUSERS DEV QA SUPPORT )

Now it is possible to create a SQL table and grant permission to user3 through a group to which user3 belongs. For example:

As ADMIN:

create table t(ch char(5));

insert into t values ('abc');

commit;

As user3:

select * from t;

error(-20228): Access denied(Authorisation failed)

As ADMIN:

grant select on admin.t to dev;

commit;

As user3:

select * from t;

CH

--

abc

1 record selected

Perform LDAP_GROUP_CHECK in Context of LDAP Application ID

The check for group membership, configured by the LDAP_GROUP_CHECK option, was done in the context of the user account that was logging on. However, the user account might not have permission to query its LDAP groups.

The logic has been enhanced so that, if an LDAP application is specified (by specifying the LDAP_APPLICATION_ID option in the SUBSYSTEM USER_AUTH LDAP block in ctsrvr.cfg), it now performs the LDAP_GROUP_CHECK in the context of the LDAP application ID. This is consistent with what is done for the LDAP_ISAM_ALLOWED_GROUP and LDAP_SQL_ALLOWED_GROUP options.

When LDAP_APPLICATION_ID is specified, you MUST also use LDAP_KEY_STORE to specify an application password, otherwise the application authentication will fail.

Note: When LDAP_APPLICATION_ID is not specified the logic behaves as before, using the current user ID for lookup.

See also:

LDAP_APPLICATION_ID

TOCIndex