diff --git a/build/lemonldap-ng/doc/DIA_DIT_Roles.png b/build/lemonldap-ng/doc/DIA_DIT_Roles.png new file mode 100644 index 000000000..0a6444475 Binary files /dev/null and b/build/lemonldap-ng/doc/DIA_DIT_Roles.png differ diff --git a/build/lemonldap-ng/doc/advanced-access-rules.html b/build/lemonldap-ng/doc/advanced-access-rules.html index d2f3562a0..57e9ee458 100644 --- a/build/lemonldap-ng/doc/advanced-access-rules.html +++ b/build/lemonldap-ng/doc/advanced-access-rules.html @@ -48,8 +48,18 @@
  • Habilitation based on a period
    • -
  • Send a role to a - protected application
    • +
  • + Send a role to a + protected application + + +
    • @@ -196,7 +206,7 @@ objectClass ( SSOOID:2:1 
    -default => $ssoName =~ /bacmeb/
+default => $ssoName =~ /\bacme\b/


    @@ -214,6 +224,146 @@ objectClass ( SSOOID:2:1

    Send a role to a protected application

    + +
    Roles as simple values of a user + attribute

    +
    + Imagine you've set your directory schema to store roles as values of + ssoRoles, an attribute of the user. This is simple because you can send + the role to the application by creating a HTTP header (for example + Auth-Role) with the concatened values (';' is the concatenation + string):
    +
    + +
    + 
    +Auth-Roles => $ssoRoles
+
    +

    +
    + If the user has these values inside its entry:
    +
    + +
    + 
    +ssoRoles: user
+ssoRoles: admin
+
    +

    +
    + Then you got this value inside the Auth-Roles header:
    +
    + +
    + 
    +user;admin
+
    +
    + +
    Roles + as entries in the directory

    +
    + Now imagine the following DIT:
    +
    + DIA_DIT_Roles.png
    +
    + Roles are entries, below branchs representing applications. Each user has + a ssoRoles attributes, which values are the DN of the corresponding roles. + With this oragnization, you can set roles to user within specific + application.
    +
    + In the schema above, the user has the following values:
    +
    + +
    + 
    +ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
+ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
+
    +
    + +

    So he is "user" on application "BBB" and "admin" + on application "AAA". + +

    Now we have to send to right role to the right + application trough LemonLDAP::NG. + +

    First step: create a rule to grant access only if + the user has a role in the application: + + + +
    + 
    +default => $ssoRoles =~ /ou=aaa,ou=roles/
+
    +
    + + + +
    + 
    +default => $ssoRoles =~ /ou=bbb,ou=roles/
+
    +

    +
    + Second step: get the role name for the application. We will use the macros + to do that. Create two macros (inside General Parameters > Macros): + + + +
    + 
    +aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
+
    +
    + + + +
    + 
    +bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
+
    +

    +
    + These regular expressions read the 'ou' value of the DN of the role of the + concerned application. This work if the user has only one role per + application.
    +
    + Third step: provide the role to the application. It is done by creating + the correct HTTP header: + + + +
    + 
    +Auth-Roles => $aaaRoles
+
    +
    + + + +
    + 
    +Auth-Roles => $bbbRoles
+
    +

    +
    + Now the protected application can read in the header HTTP_AUTH_ROLES the + role of the user. diff --git a/build/lemonldap-ng/doc/bouton_federid.png b/build/lemonldap-ng/doc/bouton_federid.png new file mode 100644 index 000000000..84510e882 Binary files /dev/null and b/build/lemonldap-ng/doc/bouton_federid.png differ diff --git a/build/lemonldap-ng/doc/liberty-alliance-fr.html b/build/lemonldap-ng/doc/liberty-alliance-fr.html index ea8ccb361..45bb2fe35 100644 --- a/build/lemonldap-ng/doc/liberty-alliance-fr.html +++ b/build/lemonldap-ng/doc/liberty-alliance-fr.html @@ -123,8 +123,8 @@

    Liberty Alliance



    - liberty_alliance_logo_jpeg.jpg
    + +

    Cette norme permet de fédérer des identités issues de référentiels différents (par exemple un annuaire, une @@ -153,8 +153,7 @@

    Le projet FederID



    - -
    + bouton_federid.png

    Le projet FederID vise à offrir une diff --git a/build/lemonldap-ng/doc/liberty_alliance_logo_jpeg.jpg b/build/lemonldap-ng/doc/liberty_alliance_logo_jpeg.jpg new file mode 100644 index 000000000..728dec177 Binary files /dev/null and b/build/lemonldap-ng/doc/liberty_alliance_logo_jpeg.jpg differ diff --git a/build/lemonldap-ng/scripts/doc.pl b/build/lemonldap-ng/scripts/doc.pl index 3c43bf4c6..4e5acc483 100755 --- a/build/lemonldap-ng/scripts/doc.pl +++ b/build/lemonldap-ng/scripts/doc.pl @@ -17,7 +17,7 @@ my $docs = { 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocSOAP?language=fr' => 'soap-fr.html', 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocLA?language=fr' => 'liberty-alliance-fr.html', 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocPpolicy' => 'password-policy.html', - 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/SpecLDAPSchema' => 'advanced-access-rules.html', + 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/LDAPSchema' => 'advanced-access-rules.html', }; my %imgs; @@ -58,7 +58,11 @@ while ( my ( $url, $file ) = each %$docs ) { while (s#(?<=
    )(.*?)(?:]*>\s*
    |]*/>)(.*?)(?=
    )#$1

    $2#gi) {} while (s#(?<=
    )(.*?)(?:]*>\s*
    |]*/>)(.*?)(?!
    )#$1

    $2#gi) {} } - if(s#(["'])/xwiki/bin/download/NG/Presentation/([\w\.\-]+)\1#$1$2$1#) { + if(m#(["'])/xwiki/bin/download/([\/\w\.\-]+)\1#) { + $imgs{$2} = 1; + s#(["'])/xwiki/bin/download/(?:[\/\w\.\-]+)/([\w\.\-]+)\1#$1$2$1#; + } + if(s#(["'])/xwiki/bin/download/([\/\w\.\-]+)\1#$1$2$1#) { $imgs{$2} = 1; } if($file =~ /-fr/) { @@ -95,5 +99,5 @@ while ( my ( $url, $file ) = each %$docs ) { } foreach(keys %imgs) { - `wget -N http://wiki.lemonldap.objectweb.org/xwiki/bin/download/NG/Presentation/$_`; + `wget -N http://wiki.lemonldap.objectweb.org/xwiki/bin/download/$_`; }