lemonldap-ng/doc/sources/admin/exportedvars.rst

Exported variables
==================

Presentation
------------

Exported variables are the variables available to
:doc:`write rules and headers<writingrulesand_headers>`. They are
extracted from the users database by the
:ref:`users module<start-authentication-users-and-password-databases>`.

To create a variable, you've just to map a user attributes in LL::NG
using ``Variables`` » ``Exported variables``. For each variable, the
first field is the name which will be used in rules, macros or headers
and the second field is the name of the user database field.

Examples for :doc:`LDAP<authldap>`:

============= ==============
Variable name LDAP attribute
============= ==============
uid           uid
number        employeeNumber
name          sn
============= ==============

You can define exported variables for each module in the module
configuration itself. Variables defined in the main
``Exported variables`` will be used for each backend. Variables defined
in the exported variables node of the module will be used only for that
module.

|Exported variables in the Manager|


.. tip::

    You can define environment variables in
    ``Exported variables``, this allows one to populate user session with
    some environment values. Environment variables will not be queried in
    users database.

.. _macros_and_groups:

Extend variables using macros and groups
----------------------------------------

Macros and groups are calculated during authentication process by the
portal:

-  macros are used to extend (or rewrite)
   :doc:`exported variables<exportedvars>`. A macro is stored as
   attributes: it can contain boolean results or any string
-  macros can also be used to import environment variables *(these
   variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
-  You can check for group membership of a particular user with the
   ``inGroup`` function, see examples below.
-  If you need more advanced processing of the group list (filtering,
   rewriting) you may use ``$groups``, a flat list of all the user's
   groups, separated by ''; '' (default values separator). Or the
   ``$hGroups`` variable which is a perl hash whose keys are the group
   names.

Example for macros:

.. code-block:: perl

   # boolean macro
   isAdmin -> $uid eq 'foo' or $uid eq 'bar'
   # other macro
   displayName -> $givenName." ".$surName

   # Use a boolean macro in a rule
   ^/admin -> $isAdmin
   # Use a string macro in a HTTP header
   Display-Name -> $displayName

Defining a group for admins

.. code-block:: perl

   # group
   admin -> $uid eq 'foo' or $uid eq 'bar'

Using groups in a rule

.. code-block:: perl

   ^/admin -> inGroup('admin')

   # Advanced usage
   ^/admin -> defined $hGroups->{'admin'}
   ^/admin -> $groups =~ /\badmin\b/


.. note::

    Groups are computed after macros, so a group rule may involve a
    macro value.

.. warning::

    Macros and groups are computed in alphanumeric order,
    that is, in the order they are displayed in the manager. For example,
    macro "macro1" will be computed before macro "macro2": so, expression of
    macro2 may involve value of macro1. As same for groups: a group rule may
    involve another, previously computed group.

   # Use a boolean macro in a rule
   ^/admin -> $isAdmin
   # Use a string macro in a HTTP header
   Display-Name -> $displayName

Defining a group for admins

.. code-block:: perl

   # group
   admin -> $uid eq 'foo' or $uid eq 'bar'

Using groups in a rule

.. code-block:: perl

   ^/admin -> $groups =~ /\badmin\b/

   # Or with hGroups
   ^/admin -> defined $hGroups->{'admin'}

   # Since 2.0.8
   ^/admin -> inGroup('admin')


.. note::

    Groups are computed after macros, so a group rule may involve a
    macro value.


.. warning::

    Macros and groups are computed in alphanumeric order,
    that is, in the order they are displayed in the manager. For example,
    macro "macro1" will be computed before macro "macro2": so, expression of
    macro2 may involve value of macro1. As same for groups: a group rule may
    involve another, previously computed group.

.. |Exported variables in the Manager| image:: /documentation/manager-exported-variables.png
   :class: align-center
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`Exported variables`
			`==================`

			`Presentation`
			`------------`

			`Exported variables are the variables available to`
			:doc:`write rules and headers<writingrulesand_headers>`. They are
doc: fix formatting 2020-05-18 09:56:39 +02:00			`extracted from the users database by the`
			:ref:`users module<start-authentication-users-and-password-databases>`.
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
			`To create a variable, you've just to map a user attributes in LL::NG`
Improve doc 2020-12-10 09:12:42 +01:00			using ``Variables`` » ``Exported variables``. For each variable, the
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`first field is the name which will be used in rules, macros or headers`
			`and the second field is the name of the user database field.`

			Examples for :doc:`LDAP<authldap>`:

			`============= ==============`
			`Variable name LDAP attribute`
			`============= ==============`
			`uid uid`
			`number employeeNumber`
			`name sn`
			`============= ==============`

			`You can define exported variables for each module in the module`
			`configuration itself. Variables defined in the main`
			``Exported variables`` will be used for each backend. Variables defined
			`in the exported variables node of the module will be used only for that`
			`module.`

			`\|Exported variables in the Manager\|`


doc: fix formatting 2020-05-18 09:56:39 +02:00			`.. tip::`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
			`You can define environment variables in`
			``Exported variables``, this allows one to populate user session with
			`some environment values. Environment variables will not be queried in`
			`users database.`

doc: fix markup 2020-05-21 15:13:24 +02:00			`.. _macros_and_groups:`

First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`Extend variables using macros and groups`
			`----------------------------------------`

doc: fix markup 2020-05-21 15:13:24 +02:00			`Macros and groups are calculated during authentication process by the`
			`portal:`

			`- macros are used to extend (or rewrite)`
			:doc:`exported variables<exportedvars>`. A macro is stored as
			`attributes: it can contain boolean results or any string`
			`- macros can also be used to import environment variables *(these`
			variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`- You can check for group membership of a particular user with the`
			``inGroup`` function, see examples below.
			`- If you need more advanced processing of the group list (filtering,`
			rewriting) you may use ``$groups``, a flat list of all the user's
			`groups, separated by ''; '' (default values separator). Or the`
			``$hGroups`` variable which is a perl hash whose keys are the group
			`names.`

			`Example for macros:`
doc: fix markup 2020-05-21 15:13:24 +02:00
			`.. code-block:: perl`

2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`# boolean macro`
			`isAdmin -> $uid eq 'foo' or $uid eq 'bar'`
			`# other macro`
			`displayName -> $givenName." ".$surName`

			`# Use a boolean macro in a rule`
			`^/admin -> $isAdmin`
			`# Use a string macro in a HTTP header`
			`Display-Name -> $displayName`
doc: fix markup 2020-05-21 15:13:24 +02:00
2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`Defining a group for admins`
doc: fix markup 2020-05-21 15:13:24 +02:00
			`.. code-block:: perl`

2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`# group`
			`admin -> $uid eq 'foo' or $uid eq 'bar'`
doc: fix markup 2020-05-29 17:13:25 +02:00
2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`Using groups in a rule`
doc: fix markup 2020-05-21 15:13:24 +02:00
			`.. code-block:: perl`

2.0 to master doc patch 2020-05-29 17:10:28 +02:00			`^/admin -> inGroup('admin')`

			`# Advanced usage`
			`^/admin -> defined $hGroups->{'admin'}`
			`^/admin -> $groups =~ /\badmin\b/`


			`.. note::`

			`Groups are computed after macros, so a group rule may involve a`
			`macro value.`

			`.. warning::`

			`Macros and groups are computed in alphanumeric order,`
			`that is, in the order they are displayed in the manager. For example,`
			`macro "macro1" will be computed before macro "macro2": so, expression of`
			`macro2 may involve value of macro1. As same for groups: a group rule may`
			`involve another, previously computed group.`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
doc: fix markup 2020-05-29 17:13:25 +02:00			`# Use a boolean macro in a rule`
			`^/admin -> $isAdmin`
			`# Use a string macro in a HTTP header`
			`Display-Name -> $displayName`

			`Defining a group for admins`

			`.. code-block:: perl`

			`# group`
			`admin -> $uid eq 'foo' or $uid eq 'bar'`

			`Using groups in a rule`

			`.. code-block:: perl`

			`^/admin -> $groups =~ /\badmin\b/`

			`# Or with hGroups`
			`^/admin -> defined $hGroups->{'admin'}`

			`# Since 2.0.8`
			`^/admin -> inGroup('admin')`


			`.. note::`

			`Groups are computed after macros, so a group rule may involve a`
			`macro value.`


			`.. warning::`

			`Macros and groups are computed in alphanumeric order,`
			`that is, in the order they are displayed in the manager. For example,`
			`macro "macro1" will be computed before macro "macro2": so, expression of`
			`macro2 may involve value of macro1. As same for groups: a group rule may`
			`involve another, previously computed group.`

First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`.. \|Exported variables in the Manager\| image:: /documentation/manager-exported-variables.png`
			`:class: align-center`