LDAP_GROUP_CHECK {attr:<ATTRIBUTE>}{base:<BASE>}{filter:<FILTER>}
Where:
FairCom Server V11.5 and later are able to update the c-tree group membership records in FAIRCOM.FCS at logon. Because SQL permissions use the current group membership for a user account as stored in FAIRCOM.FCS, this ability makes it possible for SQL permissions to act on the current LDAP group membership for a user account that is authenticated using LDAP.
To use this feature, add this option in the SUBSYSTEM USER_AUTH LDAP block in ctsrvr.cfg.
Any errors encountered are logged to CTSTATUS.FCS.
Example 1:
The file faircom.ldif contains these domain, user, and group definitions:
# Domain
dn: dc=faircom,dc=com
objectClass: domain
objectClass: top
dc: faircom
# People
dn: ou=people,dc=faircom,dc=com
objectclass: top
objectclass: organizationalUnit
ou: people
description: Container for user entries
dn: cn=user1,ou=people,dc=faircom,dc=com
cn: user1
objectClass: person
sn: user1
dn: cn=user2,ou=people,dc=faircom,dc=com
cn: user2
objectClass: person
sn: user2
dn: cn=user3,ou=people,dc=faircom,dc=com
cn: user3
objectClass: person
sn: user3
dn: cn=user4,ou=people,dc=faircom,dc=com
cn: user4
objectClass: person
sn: user4
dn: cn=user5,ou=people,dc=faircom,dc=com
cn: user5
objectClass: person
sn: user5
# Groups
dn: ou=groups,dc=faircom,dc=com
objectClass: organizationalUnit
ou: groups
description: Container for group entries
dn: cn=dev,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: dev
description: Research and Development group
member: cn=user2,ou=people,dc=faircom,dc=com
member: cn=user3,ou=people,dc=faircom,dc=com
dn: cn=support,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: support
description: Technical Support group
member: cn=user1,ou=people,dc=faircom,dc=com
member: cn=user2,ou=people,dc=faircom,dc=com
member: cn=user3,ou=people,dc=faircom,dc=com
dn: cn=qa,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: qa
description: Product Testing group
member: cn=user1,ou=people,dc=faircom,dc=com
member: cn=user2,ou=people,dc=faircom,dc=com
member: cn=user3,ou=people,dc=faircom,dc=com
dn: cn=it,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: it
description: Information Technology group
member: cn=user4,ou=people,dc=faircom,dc=com
member: cn=user5,ou=people,dc=faircom,dc=com
dn: cn=ctreeisamusers,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: ctreeisamusers
description: c-tree ISAM Users
member: cn=user1,ou=people,dc=faircom,dc=com
member: cn=user2,ou=people,dc=faircom,dc=com
member: cn=user3,ou=people,dc=faircom,dc=com
member: cn=user4,ou=people,dc=faircom,dc=com
member: cn=user5,ou=people,dc=faircom,dc=com
dn: cn=ctreesqlusers,ou=groups,dc=faircom,dc=com
objectClass: groupOfNames
cn: ctreesqlusers
description: c-tree SQL Users
member: cn=user1,ou=people,dc=faircom,dc=com
member: cn=user2,ou=people,dc=faircom,dc=com
member: cn=user3,ou=people,dc=faircom,dc=com
member: cn=user4,ou=people,dc=faircom,dc=com
member: cn=user5,ou=people,dc=faircom,dc=com
# Applications
dn: ou=applications,dc=faircom,dc=com
objectclass: top
objectclass: organizationalUnit
ou: applications
description: Container for application entries
dn: cn=ctreesql,ou=applications,dc=faircom,dc=com
cn: ctreesql
objectClass: person
sn: ctreesql
Example 2:
The following LDAP configuration options in ctsrvr.cfg require LDAP authentication using an application ID of ctreesql, allow ISAM logons only from members of the ctreeisamusers group, allow SQL logons only from members of the ctreesqlusers group, and update the c-tree group definitions for a particular user ID at logon time based on that user ID's current LDAP group membership:
SUBSYSTEM USER_AUTH LDAP
{
LDAP_SERVER localhost
LDAP_TIMEOUT 10
LDAP_PREFIX cn=
LDAP_BASE ou=people,dc=faircom,dc=com
LDAP_APPLICATION_ID cn=ctreesql,ou=applications,dc=faircom,dc=com
LDAP_ISAM_ALLOWED_GROUP cn=ctreeisamusers,ou=groups,dc=faircom,dc=com
LDAP_SQL_ALLOWED_GROUP cn=ctreesqlusers,ou=groups,dc=faircom,dc=com
LDAP_GROUP_CHECK {attr:member}{base:ou=groups,dc=faircom,dc=com}{filter:(objectclass=groupOfNames)}
LDAP_PORT 389
LDAP_SSL NO
LDAP_KEY_STORE ldap.fkf
}
When user3 successfully connects to c-tree Server, the user3 user account and groups to which user3 belongs are added to FAIRCOM.FCS:
User Id User Description (Groups)
------------ ------------------------------------
ADMIN ( ADMIN )
USER3 ( CTREEISAMUSERS CTREESQLUSERS DEV QA SUPPORT )
Now it is possible to create a SQL table and grant permission to user3 through a group to which user3 belongs. For example:
As ADMIN:
create table t(ch char(5));
insert into t values ('abc');
commit;
As user3:
select * from t;
error(-20228): Access denied(Authorisation failed)
As ADMIN:
grant select on admin.t to dev;
commit;
As user3:
select * from t;
CH
--
abc
1 record selected
Perform LDAP_GROUP_CHECK in Context of LDAP Application ID
The check for group membership, configured by the LDAP_GROUP_CHECK option, was done in the context of the user account that was logging on. However, the user account might not have permission to query its LDAP groups.
The logic has been enhanced so that, if an LDAP application is specified (by specifying the LDAP_APPLICATION_ID option in the SUBSYSTEM USER_AUTH LDAP block in ctsrvr.cfg), it now performs the LDAP_GROUP_CHECK in the context of the LDAP application ID. This is consistent with what is done for the LDAP_ISAM_ALLOWED_GROUP and LDAP_SQL_ALLOWED_GROUP options.
When LDAP_APPLICATION_ID is specified, you MUST also use LDAP_KEY_STORE to specify an application password, otherwise the application authentication will fail.
Note: When LDAP_APPLICATION_ID is not specified the logic behaves as before, using the current user ID for lookup.
See also: