2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:rbac< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "index,follow" / >
< meta name = "keywords" content = "documentation,2.0,rbac" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "rbac.html" / >
< link rel = "contents" href = "rbac.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : r b a c " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration" > Configuration< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#roles_as_simple_values_of_a_user_attribute" > Roles as simple values of a user attribute< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#roles_as_entries_in_the_directory" > Roles as entries in the directory< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#gather_roles_in_session" > Gather roles in session< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#restrict_access_to_application" > Restrict access to application< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#send_role_to_application" > Send role to application< / a > < / div > < / li >
< / ul > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "rbac_model" > RBAC model< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "RBAC model" [1 - 26] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< a href = "http://en.wikipedia.org/wiki/Role-based_access_control" class = "urlextern" title = "http://en.wikipedia.org/wiki/Role-based_access_control" rel = "nofollow" > RBAC< / a > stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.
< / p >
< p >
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
< / p >
< / div >
<!-- EDIT2 SECTION "Presentation" [27 - 405] -->
< h2 class = "sectionedit3" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT3 SECTION "Configuration" [406 - 433] -->
< h3 class = "sectionedit4" id = "roles_as_simple_values_of_a_user_attribute" > Roles as simple values of a user attribute< / h3 >
< div class = "level3" >
< p >
2019-09-23 22:41:16 +02:00
Imagine you' ve set your directory schema to store roles as values of an attribute of the user, for example " description" . This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (' ;' is the concatenation string):
2016-10-15 19:57:04 +02:00
< / p >
< pre class = "code" > Auth-Roles => $description< / pre >
< p >
If the user has these values inside its entry:
< / p >
< pre class = "file" > description: user
description: admin< / pre >
< p >
Then you got this value inside the Auth-Roles header:
< / p >
< pre class = "code" > user; admin< / pre >
< / div >
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434 - 1012] -->
< h3 class = "sectionedit5" id = "roles_as_entries_in_the_directory" > Roles as entries in the directory< / h3 >
< div class = "level3" >
< p >
Now imagine the following DIT:
< / p >
< ul >
< li class = "level1" > < div class = "li" > dc=example,dc=com< / div >
< ul >
< li class = "level2" > < div class = "li" > ou=users< / div >
< ul >
< li class = "level3" > < div class = "li" > uid=coudot< / div >
< / li >
< / ul >
< / li >
< li class = "level2" > < div class = "li" > ou=roles< / div >
< ul >
< li class = "level3" > < div class = "li" > ou=aaa< / div >
< ul >
< li class = "level4" > < div class = "li" > cn=admin< / div >
< / li >
< li class = "level4" > < div class = "li" > cn=user< / div >
< / li >
< / ul >
< / li >
< li class = "level3" > < div class = "li" > ou=bbb< / div >
< ul >
< li class = "level4" > < div class = "li" > cn=admin< / div >
< / li >
< li class = "level4" > < div class = "li" > cn=user< / div >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< / ul >
< p >
Roles are entries, below branches representing applications. We can use the standard LDAP objectClass < code > organizationalRole< / code > to maintain roles, for example:
< / p >
< pre class = "code file ldif" > < span class = "re0" > dn< / span > :< span class = "re1" > cn=admin,ou=aaa,ou=roles,dc=example,dc=com< / span >
< span class = "re0" > objectClass< / span > :< span class = "re1" > organizationalRole< / span >
< span class = "re0" > objectClass< / span > :< span class = "re1" > top< / span >
< span class = "re0" > cn< / span > :< span class = "re1" > admin< / span >
< span class = "re0" > ou< / span > :< span class = "re1" > aaa< / span >
< span class = "re0" > roleOccupant< / span > :< span class = "re1" > uid=coudot,ou=users,dc=example,dc=com< / span > < / pre >
< p >
A user is attached to a role if its < abbr title = "Distinguished Name" > DN< / abbr > is in < code > roleOccupant< / code > attribute. We add the attribute < code > ou< / code > to allow < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > to know which application is concerned by this role.
< / p >
< p >
2019-09-23 22:41:16 +02:00
So imagine the user coudot is " user" on application " BBB" and " admin" on application " < abbr title = "Authentication Authorization Accounting" > AAA< / abbr > " .
2016-10-15 19:57:04 +02:00
< / p >
< / div >
< h4 id = "gather_roles_in_session" > Gather roles in session< / h4 >
< div class = "level4" >
< p >
Use the < a href = "authldap.html#groups" class = "wikilink1" title = "documentation:2.0:authldap" > LDAP group< / a > configuration to store roles as groups in the user session:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Base: ou=roles,dc=example,dc=com< / div >
< / li >
< li class = "level1" > < div class = "li" > Object class: organizationalRole< / div >
< / li >
< li class = "level1" > < div class = "li" > Target attribute: roleOccupant< / div >
< / li >
< li class = "level1" > < div class = "li" > Searched attributes: cn ou< / div >
< / li >
< / ul >
< / div >
< h4 id = "restrict_access_to_application" > Restrict access to application< / h4 >
< div class = "level4" >
< p >
We configure < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > to authorize people on an application only if they have a role on it. For this, we use the < code > $hGroups< / code > variable.
< / p >
< ul >
< li class = "level1" > < div class = "li" > For application < abbr title = "Authentication Authorization Accounting" > AAA< / abbr > :< / div >
< / li >
< / ul >
< pre class = "code" > default => groupMatch($hGroups, ' ou' , ' aaa' )< / pre >
< ul >
< li class = "level1" > < div class = "li" > For application BBB:< / div >
< / li >
< / ul >
< pre class = "code" > default => groupMatch($hGroups, ' ou' , ' bbb' )< / pre >
< / div >
< h4 id = "send_role_to_application" > Send role to application< / h4 >
< div class = "level4" >
< p >
It is done by creating the correct HTTP header:
< / p >
< ul >
< li class = "level1" > < div class = "li" > For application < abbr title = "Authentication Authorization Accounting" > AAA< / abbr > :< / div >
< / li >
< / ul >
< pre class = "code" > Auth-Roles => ((grep{/aaa/} split(' ;' ,$groups))[0] =~ /([a-zA-Z]+?)/)[0]< / pre >
< ul >
< li class = "level1" > < div class = "li" > For application BBB:< / div >
< / li >
< / ul >
< pre class = "code" > Auth-Roles => ((grep{/bbb/} split(' ;' ,$groups))[0] =~ /([a-zA-Z]+?)/)[0]< / pre >
< / div >
<!-- EDIT5 SECTION "Roles as entries in the directory" [1013 - ] --> < / div >
< / body >
< / html >