You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by Philip Brusten <ph...@kuleuven.be> on 2021/06/21 08:08:49 UTC

Temporarily assign attribute in OpenLDAP / membership in AD

Hi Syncope

we are evaluating Syncope to provision certain accounts to an OpenLDAP & 
AD directory service.

We managed to provision an account to OpenLDAP and populate a certain 
LDAP-attribute with the value of a privilege. The privileges are linked 
to a role and the user is assigned to that role.

This is all working fine, however we would like to add a start & end 
time constraint to such a role assignment. Well in fact we want the 
(privilege)attribute in OpenLDAP to be present for a certain amount of 
time (can be different for each user) and then be removed. How can we 
add this time constraint to Syncope (via a group or role or custom 
policy, etc)

We would like to achieve the same this for membership of Active 
Directory groups. We would like to make accounts temporarily a member of 
an AD group.

Thank you for the feedback & advice!

Philip

Re: Temporarily assign attribute in OpenLDAP / membership in AD

Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.

Hi Philip,

glad of your interest in Apache Syncope.

Il 21/06/21 10:08, Philip Brusten ha scritto:
> Hi Syncope
>
> we are evaluating Syncope to provision certain accounts to an OpenLDAP 
> & AD directory service.
>
> We managed to provision an account to OpenLDAP and populate a certain 
> LDAP-attribute with the value of a privilege. The privileges are 
> linked to a role and the user is assigned to that role.
>
> This is all working fine, however we would like to add a start & end 
> time constraint to such a role assignment. Well in fact we want the 
> (privilege)attribute in OpenLDAP to be present for a certain amount of 
> time (can be different for each user) and then be removed. How can we 
> add this time constraint to Syncope (via a group or role or custom 
> policy, etc)
>
> We would like to achieve the same this for membership of Active 
> Directory groups. We would like to make accounts temporarily a member 
> of an AD group.

There are several options:

  * Group and membership attributes: not use roles but only groups to
    define your privileges. Through the assignment of a group to a user,
    you can define membership attributes that indicate privileges, date
    of start and end of assignment [1].
  * User and AnyObject: use anyobjects to represent privileges. Each
    user can have one or more anyobjects assigned. In addition to the
    attributes that describe the privileges, the ANYOBJECT also will
    have a start date and end assignment [2].
  * User and Role: you cannot define a start and end date inside a role.
    The only thing you can do is use a json type attribute (of the user)
    in which models this information.

{"privilege" : {
"RoleA": { "start": "01-07-2021", "end": "01-07-2021" },
"RoleB": { "start": "06-07-2021", "end": "01-08-2021" },
"RoleC": { "start": "01-07-2021", "end": "01-12-2022" }
}}

For each option, you will need to implement a scheduled task that checks 
the assignment and removal of privileges based on the start or end date. 
In addition, it may also be necessary to implement a propagation action.

[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#users-groups-and-any-objects
[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#relationshiptype

Regards
M

>
> Thank you for the feedback & advice!
>
> Philip
>
>
>
>
>
-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/