diff --git a/build/lemonldap-ng/doc/DIA_DIT_Roles.png b/build/lemonldap-ng/doc/DIA_DIT_Roles.png
new file mode 100644
index 000000000..0a6444475
Binary files /dev/null and b/build/lemonldap-ng/doc/DIA_DIT_Roles.png differ
diff --git a/build/lemonldap-ng/doc/advanced-access-rules.html b/build/lemonldap-ng/doc/advanced-access-rules.html
index d2f3562a0..57e9ee458 100644
--- a/build/lemonldap-ng/doc/advanced-access-rules.html
+++ b/build/lemonldap-ng/doc/advanced-access-rules.html
@@ -48,8 +48,18 @@
Habilitation based on a
period
- Send a role to a
- protected application
+
+ Send a role to a
+ protected application
+
+
+
@@ -196,7 +206,7 @@ objectClass ( SSOOID:2:1
-default => $ssoName =~ /bacmeb/
+default => $ssoName =~ /\bacme\b/
@@ -214,6 +224,146 @@ objectClass ( SSOOID:2:1
Send a role to a protected
application
+
+ Roles as simple values of a user
+ attribute
+
+ Imagine you've set your directory schema to store roles as values of
+ ssoRoles, an attribute of the user. This is simple because you can send
+ the role to the application by creating a HTTP header (for example
+ Auth-Role) with the concatened values (';' is the concatenation
+ string):
+
+
+
+
+Auth-Roles => $ssoRoles
+
+
+
+ If the user has these values inside its entry:
+
+
+
+
+ssoRoles: user
+ssoRoles: admin
+
+
+
+ Then you got this value inside the Auth-Roles header:
+
+
+
+
+ Roles
+ as entries in the directory
+
+ Now imagine the following DIT:
+
+
+
+ Roles are entries, below branchs representing applications. Each user has
+ a ssoRoles attributes, which values are the DN of the corresponding roles.
+ With this oragnization, you can set roles to user within specific
+ application.
+
+ In the schema above, the user has the following values:
+
+
+
+
+ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
+ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
+
+
+
+ So he is "user" on application "BBB" and "admin"
+ on application "AAA".
+
+ Now we have to send to right role to the right
+ application trough LemonLDAP::NG.
+
+ First step: create a rule to grant access only if
+ the user has a role in the application:
+
+
+
+
+
+default => $ssoRoles =~ /ou=aaa,ou=roles/
+
+
+
+
+
+
+
+default => $ssoRoles =~ /ou=bbb,ou=roles/
+
+
+
+ Second step: get the role name for the application. We will use the macros
+ to do that. Create two macros (inside General Parameters > Macros):
+
+
+
+
+
+aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
+
+
+
+
+
+
+
+bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
+
+
+
+ These regular expressions read the 'ou' value of the DN of the role of the
+ concerned application. This work if the user has only one role per
+ application.
+
+ Third step: provide the role to the application. It is done by creating
+ the correct HTTP header:
+
+
+
+
+
+Auth-Roles => $aaaRoles
+
+
+
+
+
+
+
+Auth-Roles => $bbbRoles
+
+
+
+ Now the protected application can read in the header HTTP_AUTH_ROLES the
+ role of the user.