Comments (11)
Thanks, mate.
What is MemberOf overlay? Is there any spec?
By "import identities" do you mean pre-create users on configuration? How about credentials, where would those come from? Or you mean by creating those identities upfront you'd set some properties which otherwise would not come from IAM?
Thanks for trying this, let me know if any practical improvements are required or feel free to create pull request.
Cheers,
Denis
From: teemleht <[email protected]>
To: denismo/aws-iam-ldap-bridge [email protected]
Sent: Thursday, 10 November 2016, 17:11
Subject: [denismo/aws-iam-ldap-bridge] MemberOf overlay or import on group basis (#25)
This project seems very interesting and been thinking of couple use cases for this already.One challenge I've ran into is that the ApacheDS does not have MemberOf overlay that would benefit many group related authorizations on the client side.Alternatively ability to just import identities on group basis would be acceptable workaround.On securing my instance I've modified the config file to bind the service to loopback address as in my scenario I don't want to build a central directory, but have each server their own directory. This takes care of most of the security challenges as you would need access to the host in order to compromize anything and I'm not using the directory to gran access on the host by authorizing identities to use an application on the host
Thanks a lot for this it has been most usefull even as it is.
Teemuβ
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
from aws-iam-ldap-bridge.
Thanks Denismo for very quick response !
memeberOf overlay performs some automatic populations of data to objects. For example Windows AD has this enabled automatically. Also OpenLDAP can be enabled with it. In essence in case of groups it adds memberOf = items automatically to uid DNs so that you can get the group memberships of a DN automatically without needing to traverse all the possible groups and check if there is a memeberuid object with the uid of the user.
Here's one link to instructions how to enable it on openldap:
http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/
I also found these threads/links mentioning memeberOf overlay and Apache DS:
https://community.qlik.com/thread/157360
http://abeytom.blogspot.fi/2012/08/setup-apache-ds-to-mirror-active.html
A lot of application rely on this functionality as it makes checking group memebership so much easier.
Teemu
from aws-iam-ldap-bridge.
Just talked to a friend of mine who has more experince on LDAP.
According to him Apache DS does not have a plugin that can be usedto populate data to the memberOf attributes even if you add it to the schema. We might be wrong here.
I guess the folowing approaches could be used: either import just users from a particular IAM group instead of the whole tree or change ApacheDS to OpenLDAP where enabling memeberOf overlay is supported.
Teemu
from aws-iam-ldap-bridge.
Not sure I understand. The plugin I wrote populates users and groups, so why can't it set memberOf as an attribute not as an overlay, on users?
Denis
On 11 Nov. 2016, at 6:06 pm, teemleht [email protected] wrote:
Just talked to a friend of mine who has more experince on LDAP.
According to him Apache DS does not have a plugin that can be usedto populate data to the memberOf attributes even if you add it to the schema. We might be wrong here.
I guess the folowing approaches could be used: either import just users from a particular IAM group instead of the whole tree or change ApacheDS to OpenLDAP where enabling memeberOf overlay is supported.
Teemu
β
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
from aws-iam-ldap-bridge.
Hi,
Absolutely the plugin could populate the memberOf attribute the same time. It would need to do quite a lot of work to do it though as it would need to manage changes in group memeberships as they take place in the IAM side.
Teemu
from aws-iam-ldap-bridge.
I'm working on building the memberOf into this.
This functionality requires modification of the schema.
Would appreciate a hint on where to add the ldiff that puts the needed schema additions.
Thanks
from aws-iam-ldap-bridge.
I've actually implemented it. Take a look at the branch feature/25-memberof
. Something is not working during subsequent update - ApacheDS is giving me a hard time with strange errors, but it's almost there I think. It has the schema changes as well as the code.
from aws-iam-ldap-bridge.
Hi Teemu,
I've finished implementing and testing the change. Would you be able to perform the validation?
https://s3-ap-southeast-2.amazonaws.com/aws-iam-apacheds/apacheds-0.2.3.zip
Thanks,
Denis
from aws-iam-ldap-bridge.
Good Morning Denis,
I actually pulled the code last friday and tested it. At least my use-cases worked nicely:
- initial pull of users resulted in correct atributes for users
- adding new user resulted correct attributes for the user
- deleting user resulted in correct deletion of a user
- adding group to the user resulted correct addition of the attributes
- removing group from a user resulted in correct deletion of the attributes.
really nice work !
Kind regards
Teemu
from aws-iam-ldap-bridge.
Thanks, appreciate the effort. I'll make a release on the weekend.
BTW, which tool makes use of the memberOf attribute?
from aws-iam-ldap-bridge.
Excellent and welcome.
I'm using OpenVPN to authenticate users with this.
This allows creating IAM identities that belong to a group but no additional IAM rights.
The LDAP server runs on the same host as the OpenVPN server and uses localhost:10389 as ldapserver.
Next step is to make the installation of apache DS automatic and configuration of OpenVPN ....
you might want to check the apacheds.sh script linefeeds.
When I used your copy of the zip instead of building my own zip (I have MAC) the script had dos linefeeds instead of unix.
Thanks a lot for this !
Kind regards
Teemu
from aws-iam-ldap-bridge.
Related Issues (20)
- Create embedded runner HOT 1
- Can not use Apache Directory Studio with bundled ApacheDS HOT 9
- Clarification on the project HOT 12
- is it possible to auth against IAM password? HOT 16
- AMI says ldapsearch not found / user home directories not populated HOT 1
- Authentication fails for users configured with MFA HOT 3
- Users with no access key, no password are imported
- Groups not updating properly in LDAP HOT 17
- Can not bind via users after building from src HOT 5
- Could not find public AMIs HOT 12
- Publish build artifacts to Github Releases HOT 3
- a silly question HOT 2
- If the User doesn't have an accessKey, that User would be deleted and created repeatly.
- Support for new AWS CLI profile
- Propagate the access/secret keys into logged in session HOT 1
- Add ACLs - only admin user should be able to enumerate other users, groups and roles HOT 1
- Performance of reading IAM accounts
- Is this project goint to be developed? HOT 7
- Create AMI with pre-installed LDAP as a service HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-iam-ldap-bridge.