LEMONLDAP::NG : documentation update + missing images
This commit is contained in:
parent
741e87b56a
commit
59bbd54920
BIN
build/lemonldap-ng/doc/DIA_DIT_Roles.png
Normal file
BIN
build/lemonldap-ng/doc/DIA_DIT_Roles.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 107 KiB |
|
@ -48,8 +48,18 @@
|
|||
<li><a href="#HHabilitationbasedonaperiod">Habilitation based on a
|
||||
period</a></li>
|
||||
|
||||
<li><a href="#HSendaroletoaprotectedapplication">Send a role to a
|
||||
protected application</a></li>
|
||||
<li>
|
||||
<a href="#HSendaroletoaprotectedapplication">Send a role to a
|
||||
protected application</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HRolesassimplevaluesofauserattribute">Roles as
|
||||
simple values of a user attribute</a></li>
|
||||
|
||||
<li><a href="#HRolesasentriesinthedirectory">Roles as entries in
|
||||
the directory</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
@ -196,7 +206,7 @@ objectClass ( SSOOID:2:1
|
|||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<span class="java-keyword">default</span> => $ssoName =~ /bacmeb/
|
||||
<span class="java-keyword">default</span> => $ssoName =~ /\bacme\b/
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
|
@ -214,6 +224,146 @@ objectClass ( SSOOID:2:1
|
|||
<h4 class="heading-1-1-1"><span id=
|
||||
"HSendaroletoaprotectedapplication">Send a role to a protected
|
||||
application</span></h4>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HRolesassimplevaluesofauserattribute">Roles as simple values of a user
|
||||
attribute</span></h5><br />
|
||||
<br />
|
||||
Imagine you've set your directory schema to store roles as values of
|
||||
ssoRoles, an attribute of the user. This is simple because you can send
|
||||
the role to the application by creating a HTTP header (for example
|
||||
Auth-Role) with the concatened values (';' is the concatenation
|
||||
string):<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Auth-Roles => $ssoRoles
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
If the user has these values inside its entry:<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
ssoRoles: user
|
||||
ssoRoles: admin
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
Then you got this value inside the Auth-Roles header:<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
user;admin
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HRolesasentriesinthedirectory">Roles
|
||||
as entries in the directory</span></h5><br />
|
||||
<br />
|
||||
Now imagine the following DIT:<br />
|
||||
<br />
|
||||
<img src="DIA_DIT_Roles.png" alt="DIA_DIT_Roles.png" /><br />
|
||||
<br />
|
||||
Roles are entries, below branchs representing applications. Each user has
|
||||
a ssoRoles attributes, which values are the DN of the corresponding roles.
|
||||
With this oragnization, you can set roles to user within specific
|
||||
application.<br />
|
||||
<br />
|
||||
In the schema above, the user has the following values:<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
|
||||
ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>So he is "user" on application "BBB" and "admin"
|
||||
on application "AAA".
|
||||
|
||||
<p class="paragraph"></p>Now we have to send to right role to the right
|
||||
application trough LemonLDAP::NG.
|
||||
|
||||
<p class="paragraph"></p>First step: create a rule to grant access only if
|
||||
the user has a role in the application:
|
||||
|
||||
<ul class="star">
|
||||
<li>For application AAA:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<span class="java-keyword">default</span> => $ssoRoles =~ /ou=aaa,ou=roles/
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>For application BBB:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<span class="java-keyword">default</span> => $ssoRoles =~ /ou=bbb,ou=roles/
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
Second step: get the role name for the application. We will use the macros
|
||||
to do that. Create two macros (inside General Parameters > Macros):
|
||||
|
||||
<ul class="star">
|
||||
<li>For application AAA:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>For application BBB:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
These regular expressions read the 'ou' value of the DN of the role of the
|
||||
concerned application. This work if the user has only one role per
|
||||
application.<br />
|
||||
<br />
|
||||
Third step: provide the role to the application. It is done by creating
|
||||
the correct HTTP header:
|
||||
|
||||
<ul class="star">
|
||||
<li>For application AAA:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Auth-Roles => $aaaRoles
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>For application BBB:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Auth-Roles => $bbbRoles
|
||||
</pre>
|
||||
</div><br />
|
||||
<br />
|
||||
Now the protected application can read in the header HTTP_AUTH_ROLES the
|
||||
role of the user.
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
BIN
build/lemonldap-ng/doc/bouton_federid.png
Normal file
BIN
build/lemonldap-ng/doc/bouton_federid.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.2 KiB |
|
@ -123,8 +123,8 @@
|
|||
<h4 class="heading-1-1-1"><span id="HLibertyAlliance">Liberty
|
||||
Alliance</span></h4><br />
|
||||
<br />
|
||||
<img src="/xwiki/bin/download/NG/DocLA/liberty_alliance_logo_jpeg.jpg"
|
||||
alt="liberty_alliance_logo_jpeg.jpg" /><br />
|
||||
<img src="liberty_alliance_logo_jpeg.jpg" alt=
|
||||
"liberty_alliance_logo_jpeg.jpg" /><br />
|
||||
<br />
|
||||
Cette norme permet de fédérer des identités issues de
|
||||
référentiels différents (par exemple un annuaire, une
|
||||
|
@ -153,8 +153,7 @@
|
|||
<h4 class="heading-1-1-1"><span id="HLeprojetFederID">Le projet
|
||||
FederID</span></h4><br />
|
||||
<br />
|
||||
<img src="/xwiki/bin/download/NG/DocLA/bouton_federid.png" alt=
|
||||
"bouton_federid.png" /><br />
|
||||
<img src="bouton_federid.png" alt="bouton_federid.png" /><br />
|
||||
<br />
|
||||
Le projet <span class="wikiexternallink"><a href=
|
||||
"http://www.federid.org">FederID</a></span> vise à offrir une
|
||||
|
|
BIN
build/lemonldap-ng/doc/liberty_alliance_logo_jpeg.jpg
Normal file
BIN
build/lemonldap-ng/doc/liberty_alliance_logo_jpeg.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 24 KiB |
|
@ -17,7 +17,7 @@ my $docs = {
|
|||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocSOAP?language=fr' => 'soap-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocLA?language=fr' => 'liberty-alliance-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocPpolicy' => 'password-policy.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/SpecLDAPSchema' => 'advanced-access-rules.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/LDAPSchema' => 'advanced-access-rules.html',
|
||||
};
|
||||
|
||||
my %imgs;
|
||||
|
@ -58,7 +58,11 @@ while ( my ( $url, $file ) = each %$docs ) {
|
|||
while (s#(?<=<pre>)(.*?)(?:<p[^>]*>\s*</p>|<p[^>]*/>)(.*?)(?=</pre>)#$1<br/><br/>$2#gi) {}
|
||||
while (s#(?<=<pre>)(.*?)(?:<p[^>]*>\s*</p>|<p[^>]*/>)(.*?)(?!</pre>)#$1<br/><br/>$2#gi) {}
|
||||
}
|
||||
if(s#(["'])/xwiki/bin/download/NG/Presentation/([\w\.\-]+)\1#$1$2$1#) {
|
||||
if(m#(["'])/xwiki/bin/download/([\/\w\.\-]+)\1#) {
|
||||
$imgs{$2} = 1;
|
||||
s#(["'])/xwiki/bin/download/(?:[\/\w\.\-]+)/([\w\.\-]+)\1#$1$2$1#;
|
||||
}
|
||||
if(s#(["'])/xwiki/bin/download/([\/\w\.\-]+)\1#$1$2$1#) {
|
||||
$imgs{$2} = 1;
|
||||
}
|
||||
if($file =~ /-fr/) {
|
||||
|
@ -95,5 +99,5 @@ while ( my ( $url, $file ) = each %$docs ) {
|
|||
}
|
||||
|
||||
foreach(keys %imgs) {
|
||||
`wget -N http://wiki.lemonldap.objectweb.org/xwiki/bin/download/NG/Presentation/$_`;
|
||||
`wget -N http://wiki.lemonldap.objectweb.org/xwiki/bin/download/$_`;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user