LDAP
Schema for advanced access rules
Topic
LemonLDAP::NG is powerfull WebSSO engine who
manage access trough user's attributes stored in an LDAP directory.
We can use standards attributes like uid, cn or
mail to describe access rules to protected web applications.
But sometimes we need more information! For
example:
- An application name (to allow access by applications and not by
group of users)
- A start date and an end date (to open or close the service even the
entry already exists)
- Logon hours (allowed hours and day of the week)
- One or more roles (to send to the protected applications)
LDAP Schema
OID prefix
We plan to use this prefix:
1.3.6.1.4.1.10943.10.2.
The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA
(See
http://www.iana.org/assignments/enterprise-numbers).
OpenLDAP
schema
Just add this file to OpenLDAP schemas:
#=======================================
# Schema for advanced SSO access rules
#
# Designed for OpenLDAP software
# http://www.openldap.org
#
# Part of LemonLDAP::NG project
# http://lemonldap.ow2.org
#
# Author: Clement OUDOT
#=======================================
#=======================================
# OID Prefix
# Registered in IANA database
#=======================================
objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2
#=======================================
# Attributes
#=======================================
# Application Name
attributetype ( SSOOID:1:1
NAME 'ssoName'
DESC 'An application name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Roles
attributetype ( SSOOID:1:2
NAME 'ssoRoles'
DESC 'One or more roles'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Time profile
attributetype ( SSOOID:1:3
NAME 'ssoLogonsHours'
DESC 'Logons hours'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Start date
attributetype ( SSOOID:1:4
NAME 'ssoStartDate'
DESC 'Start date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# End date
attributetype ( SSOOID:1:5
NAME 'ssoEndDate'
DESC 'End date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#=======================================
# ObjectClasses
#=======================================
# SSO user
objectClass ( SSOOID:2:1
NAME 'ssoUser'
DESC 'SSO extended informations for a user'
SUP top
AUXILIARY
MAY ( ssoName $ ssoRoles $ ssoLogonHours $
ssoStartDate $ ssoEndDate ) )
How to use
it in LemonLDAP::NG
In LemonLDAP::NG Manager, go to General
Parameters > Exported Variables and add new variables:
- ssoName => $ssoName
- ssoRoles => $ssoRoles
- ssoLogonHours => $ssoLogonHours
- ssoStartDate => $ssoStartDate
- ssoEndDate => $ssoEndDate
Save and reload Apache and Handler to get the configuration updated.