{"id":150,"date":"2015-08-10T17:18:39","date_gmt":"2015-08-10T17:18:39","guid":{"rendered":"http:\/\/ldapcon.org\/2015\/?page_id=150"},"modified":"2015-11-23T19:17:22","modified_gmt":"2015-11-23T19:17:22","slug":"introducing-a-security-access-control-engine-that-resides-in-openldap","status":"publish","type":"page","link":"https:\/\/ldapcon.org\/2015\/accepted-papers\/introducing-a-security-access-control-engine-that-resides-in-openldap\/","title":{"rendered":"Introducing a Security Access Control Engine that resides in OpenLDAP"},"content":{"rendered":"<h1>Introducing a Security Access Control Engine that resides in OpenLDAP<\/h1>\n<p><em>Shawn McKinney<\/em><\/p>\n<h2>Abstract<\/h2>\n<p>The OpenLDAP Accelerator is a security Policy Decision Point (PDP) that resides inside the <em>slapd<\/em> process to allow better functionality\/performance than otherwise would be possible. This presentation introduces the new technology that is based on LDAPv3 extended operations, its rationale, and how it works. We&#8217;ll explore the idea of protocol standardization to promote interoperability across directory implementations. At the end will be a live demo to illustrate the value proposition of this unique design.<\/p>\n<h3>Outline<\/h3>\n<ol>\n<li>Introduction<\/li>\n<li>Rationale\n<ul>\n<li style=\"padding-left: 30px;\">functionality<\/li>\n<li style=\"padding-left: 30px;\">performance<\/li>\n<li style=\"padding-left: 30px;\">practicality<\/li>\n<\/ul>\n<\/li>\n<li>System Architecture<\/li>\n<li>Client-Side Components\n<ul>\n<li style=\"padding-left: 30px;\">Policy Enforcement Points (PEP):<\/li>\n<li style=\"padding-left: 30px;\">Java<\/li>\n<li style=\"padding-left: 30px;\">C<\/li>\n<li style=\"padding-left: 30px;\">Python<\/li>\n<li style=\"padding-left: 30px;\">&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Server Side Component\n<ul>\n<li style=\"padding-left: 30px;\">PDP:<\/li>\n<li style=\"padding-left: 30px;\">OpenLDAP slapo-rbac Overlay<\/li>\n<\/ul>\n<\/li>\n<li>Functional Model\n<ul>\n<li style=\"padding-left: 30px;\">IETF Draft Proposal<\/li>\n<li style=\"padding-left: 30px;\">LDAPv3 Extended Operations<\/li>\n<li style=\"padding-left: 30px;\">RBAC System Functions:<\/li>\n<li style=\"padding-left: 30px;\">createSession<\/li>\n<li style=\"padding-left: 30px;\">checkAccess<\/li>\n<li style=\"padding-left: 30px;\">addActiveRole<\/li>\n<li style=\"padding-left: 30px;\">dropActiveRole<\/li>\n<li style=\"padding-left: 30px;\">userRoles<\/li>\n<li style=\"padding-left: 30px;\">sessionPermissions<\/li>\n<\/ul>\n<\/li>\n<li>Logical Model\n<ul>\n<li style=\"padding-left: 30px;\">IETF Draft Proposal (first discussed at ldapcon2013)<\/li>\n<li style=\"padding-left: 30px;\">RBAC Entities:<\/li>\n<li style=\"padding-left: 30px;\">Users<\/li>\n<li style=\"padding-left: 30px;\">Roles<\/li>\n<li style=\"padding-left: 30px;\">Permissions<\/li>\n<li style=\"padding-left: 30px;\">Sessions<\/li>\n<li style=\"padding-left: 30px;\">Audit Log<\/li>\n<\/ul>\n<\/li>\n<li>Management of Data and Policies\n<ul>\n<li style=\"padding-left: 30px;\">Apache Fortress Core<\/li>\n<\/ul>\n<\/li>\n<li>Performance\n<ul>\n<li style=\"padding-left: 30px;\">&lt; 1ms response time under load<\/li>\n<\/ul>\n<\/li>\n<li>Demo\n<ul>\n<li style=\"padding-left: 30px;\">Micro-Benchmark<\/li>\n<li style=\"padding-left: 30px;\">Use Cases<\/li>\n<li style=\"padding-left: 30px;\">Audit Trail<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2>Biography<\/h2>\n<p>System Architect at Symas. Member of the OpenLDAP Engineering Team. Apache Directory PMC.<\/p>\n<h2>Presentation<\/h2>\n<p><a href=\"http:\/\/ldapcon.org\/2015\/wp-content\/uploads\/2015\/09\/McKinney-Openldap-Accelerator-LdapCon-2015-v4.pdf\">Introducing a Security Access Control Engine that resides in OpenLDAP<\/a> &#8211; slides<\/p>\n<div id=\"attachment_568\" style=\"width: 142px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/ldapcon.org\/2015\/wp-content\/uploads\/2015\/08\/ps100_02026.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-568\" class=\"size-medium wp-image-568\" src=\"http:\/\/ldapcon.org\/2015\/wp-content\/uploads\/2015\/08\/ps100_02026-132x300.jpg\" alt=\"Shawn McKinney\" width=\"132\" height=\"300\" srcset=\"https:\/\/ldapcon.org\/2015\/wp-content\/uploads\/2015\/08\/ps100_02026-132x300.jpg 132w, https:\/\/ldapcon.org\/2015\/wp-content\/uploads\/2015\/08\/ps100_02026.jpg 383w\" sizes=\"auto, (max-width: 132px) 100vw, 132px\" \/><\/a><p id=\"caption-attachment-568\" class=\"wp-caption-text\">Shawn McKinney<\/p><\/div>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introducing a Security Access Control Engine that resides in OpenLDAP Shawn McKinney Abstract The OpenLDAP Accelerator is a security Policy Decision Point (PDP) that resides inside the slapd process to allow better functionality\/performance than otherwise would be possible. This presentation&#8230; <a class=\"read-more-button\" href=\"https:\/\/ldapcon.org\/2015\/accepted-papers\/introducing-a-security-access-control-engine-that-resides-in-openldap\/\">(READ MORE)<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":76,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"template-without-title.php","meta":{"footnotes":""},"class_list":["post-150","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/pages\/150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/comments?post=150"}],"version-history":[{"count":7,"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/pages\/150\/revisions"}],"predecessor-version":[{"id":569,"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/pages\/150\/revisions\/569"}],"up":[{"embeddable":true,"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/pages\/76"}],"wp:attachment":[{"href":"https:\/\/ldapcon.org\/2015\/wp-json\/wp\/v2\/media?parent=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}