Using Dynamic groups for automatic granular autorization
In a larger environment with many users, administration of granular access rights, can be a tedious task. By utilizing the LDAP user and group backend in Nextcloud, several opportunities for smarter and more smooth user and user access right management is unlocked.
I encourage you to explore this module and I will not touch upon the many benefits of integrating to a LDAP service in the first place. This article is about further utilizing optional add-on capabilities of most modern enterprise ready LDAP services: groupOfURLs.
Disclaimer: I will focus on OpenLDAP in this article. First and foremost because this is what I use in my private infrastructure, hence is what my family Nextcloud instance integrates to. But also because it is open source and enterprise ready.
With groupOfURLs, LDAP returns a custom reply to queries, based on the syntax and search string you defines in the memberURL attribute.
Example:
memberURL = ldap:///ou=people,dc=domain,dc=com?entryDN?one?(givenName=Jo*)
LDAP:/// is defines the next to be an LDAP search query
The left side of the first ? mark is defining from which path:
ou=people,dc=domain,dc=com
The next value between the two ? marks defines the attribute from which the value to display in the member attribute. entryDN is the objects full DN. Choose mail, UID, entryGUID or whatever attribute of your choice.
The last value between the ? marks is the level. In the above case (one) it will look only directly underneath the given path, hence any sub-path objects will not be included.
The final part of the string is the actual LDAP filter. Any advanced LDAP filter can apply here. In this case it will return every object with givenName starting with Jo.
Example of other queries:
(&(|(!(entryDN=*ou=Test,ou=people,ou=domain,ou=com)(entryDN=*ou=ServiceAccounts,ou=people,ou=domain,ou=com)))(bussinessCategory=VIP))(employeeType=Regular))
Be aware though that the more complex you make your search query terms, the more resources your OpenLDAP instance will consume with each and every query that involves the groupOfURLs objects.
I use this to enable easy “birthrights” and something that resembles RBAC to my Nextcloud, by using both the employeeType attribute and the bussinessCategory attribute to dynamically grant memberships to template groups. I further utilizes nested groups where I have created a group for each and every app I have activated, shared folders, delegated administrative rights and so on.
Effective result
I need now to only maintain a single multi value string attribute for most of the access templates, and another attribute for most of the birthrights, without loosing the abality to maintain individually assigned rights to files, folders or apps.
Combine this with the PWM solution (GitHub - pwm-project/pwm: pwm) where there is a servicedesk module, and you have the power of:
- Highly customizable self servcie registration.
- Highly customizeable password selfservice.
- Servicedesk module.
And the PWM solution can be setup to use basically any kind of federation of your choice, hence you can use it as a “native” part of your Nextcloud with the external Change Password app, the External Forgot password App and with the External Sites app to create a seamless experience.