You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Philip Brusten <ph...@kuleuven.be> on 2021/06/21 08:08:49 UTC
Temporarily assign attribute in OpenLDAP / membership in AD
Hi Syncope
we are evaluating Syncope to provision certain accounts to an OpenLDAP &
AD directory service.
We managed to provision an account to OpenLDAP and populate a certain
LDAP-attribute with the value of a privilege. The privileges are linked
to a role and the user is assigned to that role.
This is all working fine, however we would like to add a start & end
time constraint to such a role assignment. Well in fact we want the
(privilege)attribute in OpenLDAP to be present for a certain amount of
time (can be different for each user) and then be removed. How can we
add this time constraint to Syncope (via a group or role or custom
policy, etc)
We would like to achieve the same this for membership of Active
Directory groups. We would like to make accounts temporarily a member of
an AD group.
Thank you for the feedback & advice!
Philip
Re: Temporarily assign attribute in OpenLDAP / membership in AD
Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.
Hi Philip,
glad of your interest in Apache Syncope.
Il 21/06/21 10:08, Philip Brusten ha scritto:
> Hi Syncope
>
> we are evaluating Syncope to provision certain accounts to an OpenLDAP
> & AD directory service.
>
> We managed to provision an account to OpenLDAP and populate a certain
> LDAP-attribute with the value of a privilege. The privileges are
> linked to a role and the user is assigned to that role.
>
> This is all working fine, however we would like to add a start & end
> time constraint to such a role assignment. Well in fact we want the
> (privilege)attribute in OpenLDAP to be present for a certain amount of
> time (can be different for each user) and then be removed. How can we
> add this time constraint to Syncope (via a group or role or custom
> policy, etc)
>
> We would like to achieve the same this for membership of Active
> Directory groups. We would like to make accounts temporarily a member
> of an AD group.
There are several options:
* Group and membership attributes: not use roles but only groups to
define your privileges. Through the assignment of a group to a user,
you can define membership attributes that indicate privileges, date
of start and end of assignment [1].
* User and AnyObject: use anyobjects to represent privileges. Each
user can have one or more anyobjects assigned. In addition to the
attributes that describe the privileges, the ANYOBJECT also will
have a start date and end assignment [2].
* User and Role: you cannot define a start and end date inside a role.
The only thing you can do is use a json type attribute (of the user)
in which models this information.
{"privilege" : {
"RoleA": { "start": "01-07-2021", "end": "01-07-2021" },
"RoleB": { "start": "06-07-2021", "end": "01-08-2021" },
"RoleC": { "start": "01-07-2021", "end": "01-12-2022" }
}}
For each option, you will need to implement a scheduled task that checks
the assignment and removal of privileges based on the start or end date.
In addition, it may also be necessary to implement a propagation action.
[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#users-groups-and-any-objects
[2]
https://syncope.apache.org/docs/2.1/reference-guide.html#relationshiptype
Regards
M
>
> Thank you for the feedback & advice!
>
> Philip
>
>
>
>
>
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/