LDAP Schema for advanced access rules

Topic

LemonLDAP::NG is powerfull WebSSO engine who manage access trough user's attributes stored in an LDAP directory.

We can use standards attributes like uid, cn or mail to describe access rules to protected web applications.

But sometimes we need more information! For example:

LDAP Schema

OID prefix

We plan to use this prefix: 1.3.6.1.4.1.10943.10.2.

The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See http://www.iana.org/assignments/enterprise-numbers).

OpenLDAP schema

Just add this file to OpenLDAP schemas:

#=======================================
# Schema for advanced SSO access rules
#
# Designed for OpenLDAP software
#   http://www.openldap.org
#
# Part of LemonLDAP::NG project
#   http://lemonldap.ow2.org
#
# Author: Clement OUDOT
#=======================================

#======================================= # OID Prefix # Registered in IANA database #======================================= objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2

#======================================= # Attributes #=======================================

# Application Name attributetype ( SSOOID:1:1 NAME 'ssoName' DESC 'An application name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Roles attributetype ( SSOOID:1:2 NAME 'ssoRoles' DESC 'One or more roles' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Time profile attributetype ( SSOOID:1:3 NAME 'ssoLogonsHours' DESC 'Logons hours' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Start date attributetype ( SSOOID:1:4 NAME 'ssoStartDate' DESC 'Start date' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# End date attributetype ( SSOOID:1:5 NAME 'ssoEndDate' DESC 'End date' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#======================================= # ObjectClasses #=======================================

# SSO user objectClass ( SSOOID:2:1 NAME 'ssoUser' DESC 'SSO extended informations for a user' SUP top AUXILIARY MAY ( ssoName $ ssoRoles $ ssoLogonHours $ ssoStartDate $ ssoEndDate ) )

How to use it in LemonLDAP::NG

In LemonLDAP::NG Manager, go to General Parameters > Exported Variables and add new variables: Save and reload Apache and Handler to get the configuration updated.