LDAP Groups support for zone permissions

[pasikarkkainen]

It seems currently dns-ui supports granting full system admin access if user belongs to configured ldap group ("admin_group_cn").

Are there any plans to extend similar ldap groups feature for per-zone permissions? It'd be nice to be able to give members of specified ldap group(s) access to the given zone, at specified permission level.

for zone1, add multiple entries like:

• members of ldap group "zone1_admins" get admin level access to zone1.
• members of ldap group "zone1_operators" get operator level access to zone1.
• members of ldap group "foo_admins" get admin level access to zone1.

for zone2, add multiple entries like:

• members of ldap group "zone2_admins" get admin level access to zone2.
• members of ldap group "zone2_operators" get operator level access to zone2.
• members of ldap group "bar_admins" get admin level access to zone2.

and so on.. Thoughts?

[thomas-pike]

No current plans, but it's a good idea.

[pasikarkkainen]

I think so too :) Do you have any suggestions/requirements for the implementation, if I try giving it a go?

[thomas-pike]

Well I should warn that it's probably quite a big task.

The list of group memberships is already being fetched whenever $user->get_details_from_ldap() is called (see lines 135-139 of model/user.php), but we are not currently storing anything beyond the admin flag from that data. To implement this (without having to query the LDAP server on every page load) the list of group memberships would need to be stored locally by that function, which means adding a table in the database to store this.

Another new table, or a redesign of the existing zone_access table would also be needed for storing the group access rules.

The $zone->list_access(), $user->access_to() and $user->list_admined_zones() functions would need updating to take into account the group rules.

And obviously the UI needs to be updated to allow adding/viewing the group rules.