Skip to content

PDP integration in Configserver

With the introduction of the configserver, all settings are relocated to the ldap (ou=configuration,dc=didmos,dc=de). This includes all .ini files previously found in the core. Through migrations, the .ini files have been translated into ldap objects. However, configServer.ini, ldap.ini and pdp.ini are keep since they contain information about the structure and accessibility of the ldap and pdp.

To access the new configurations, suitable permissions need to be defined in the configserver section of the ldap (ou=permissions,ou=pdp,ou=configuration,dc=didmos,dc=de). The permissions need to be linked with the roles a user can occupy (ou=roles,ou=pdp,ou=configuration,dc=didmos,dc=de). A permission needs to contain the space, section or parameter on which the role should have permission to operate, defined by rbacPermissionFilter and rbacOperation, respectively.

Moreover, the users which can be granted permission for the configuration are located in the configuration section of the ldap instead of the tenants, since they are service-accounts instead of "normal" user accounts. Thus a new user has to be created under ou=users,ou=pdp,ou=configuration,dc=didmos,dc=de.

Example of a read permission:

dn: rbacName=read-permission-core,ou=permissions,ou=pdp,ou=configuration,
 dc=didmos,dc=de
objectClass: rbacPermission
objectClass: top
rbacName: read-permission-backend
rbacRoleDN: rbacName=Config-User-Backend,ou=roles,ou=pdp,ou=configuration,dc
 =didmos,dc=de
rbacOperation: read
rbacPermissionFilter: (&(objectClass=didmosConfig)(ou:dn:=core))

Keep in mind, that currently there are only basic permissions like read or write in the different sections configured. However, extending this should not pose any issues. Additionally, the global section of the configuration (ou=global,ou=configuration,dc=didmos,dc=de) be available for every user, since it contains information about passwordpolicies and other account relevant information.

Example workflow to create a new permission for a new user

As an example, create a permission for a user to access the ldap configurations

  1. Create user under ou=users,ou=pdp,ou=configuration,dc=didmos,dc=de :

    dn: didmosUUID=00000000-0000-0000-1100-000000000042,ou=user,ou=pdp,ou=config uration,dc=didmos,dc=de objectClass: didmosPerson objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: rbacResource objectClass: top cn: Test didmosUUID:: MDAwMDAwMDAtMDAwMC0wMDAwLTExMDAtMDAwMDAwMDAwMDQy sn: User didmosActivationStatus: TRUE uid: Test-User userPassword:: e1NTSEF9NlZnOVNCUzVTWi95YTYycU5OQURMUWZZTnVHWDc3bkQ=

  2. Create a new role for the user to occupy under ou=roles,ou=pdp,ou=configuration,dc=didmos,dc=de and add user:

    dn: rbacName=Test-Role,ou=roles,ou=pdp,ou=configuration,dc=didmos,dc=de objectClass: rbacResource objectClass: rbacRole objectClass: top rbacName: Test-Role rbacDisplayName: Config-Admin rbacPerformer: didmosUUID=00000000-0000-0000-1100-000000000042,ou=user,ou=pd p,ou=configuration,dc=didmos,dc=de

  3. Create permission and add role:

    dn: rbacName=test-permission,ou=permissions,ou=pdp,ou=configuration,dc=didmo s,dc=de objectClass: rbacPermission objectClass: top rbacName: test-permission rbacRoleDN: rbacName=Test-Role,ou=roles,ou=pdp,ou=configuration,dc=didmos,dc =de rbacOperation: read rbacPermissionFilter: (&(objectClass=didmosConfig)(ou:dn:=ldap))