158 lines
5.8 KiB
HTML
158 lines
5.8 KiB
HTML
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
|
|
lang="en" dir="ltr">
|
|
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title></title>
|
|
<!-- metadata -->
|
|
<meta name="generator" content="Offline" />
|
|
<meta name="version" content="Offline 0.1" />
|
|
<!-- style sheet links -->
|
|
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
|
|
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
|
|
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
|
|
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export">
|
|
|
|
|
|
<h1 class="sectionedit1" id="rbac_model">RBAC model</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "RBAC model" [1-26] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control" rel="nofollow">RBAC</a> stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.
|
|
</p>
|
|
|
|
<p>
|
|
LemonLDAP::NG allows to use this model. You should use an <a href="../../documentation/1.9/authldap.html#schema_extension" class="wikilink1" title="documentation:1.9:authldap">extended LDAP schema</a> (or any users database extension), but this can works with standard attributes.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [27-488] -->
|
|
<h2 class="sectionedit3" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Configuration" [489-516] -->
|
|
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Imagine you've set your directory schema to store roles as values of ssoRoles, an attribute of the user. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (';' is the concatenation string):
|
|
</p>
|
|
<pre class="code">Auth-Roles => $ssoRoles</pre>
|
|
|
|
<p>
|
|
If the user has these values inside its entry:
|
|
</p>
|
|
<pre class="file">ssoRoles: user
|
|
ssoRoles: admin</pre>
|
|
|
|
<p>
|
|
Then you got this value inside the Auth-Roles header:
|
|
</p>
|
|
<pre class="code">user; admin</pre>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [517-1069] -->
|
|
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Now imagine the following DIT:
|
|
</p>
|
|
|
|
<p>
|
|
<a href="/_detail/documentation/dia_dit_roles.png?id=documentation%3A1.9%3Arbac" class="media" title="documentation:dia_dit_roles.png"><img src="../../../media/documentation/dia_dit_roles.png" class="mediacenter" alt="" /></a>
|
|
</p>
|
|
|
|
<p>
|
|
Roles are entries, below branches representing applications. Each user has a ssoRoles attributes, which values are the <abbr title="Distinguished Name">DN</abbr> of the corresponding roles. With this organization, you can set roles to user within specific application.
|
|
</p>
|
|
|
|
<p>
|
|
In the schema above, the user has the following values:
|
|
</p>
|
|
<pre class="file">ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
|
|
ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com</pre>
|
|
|
|
<p>
|
|
So he is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
|
|
</p>
|
|
|
|
<p>
|
|
Now we have to send the right role to the right application trough LemonLDAP::NG.
|
|
</p>
|
|
|
|
<p>
|
|
First step: create a rule to grant access only if the user has a role in the application:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">default => $ssoRoles =~ /ou=aaa,ou=roles/</pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application BBB:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">default => $ssoRoles =~ /ou=bbb,ou=roles/</pre>
|
|
|
|
<p>
|
|
Second step: get the role name for the application. We will use the macros to do that. Create two macros (inside <code>Variables</code> » <code>Macros</code>):
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]</pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application BBB:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]</pre>
|
|
|
|
<p>
|
|
These regular expressions read the 'ou' value of the <abbr title="Distinguished Name">DN</abbr> of the role of the concerned application. This works if the user has only one role per application.
|
|
</p>
|
|
|
|
<p>
|
|
Third step: provide the role to the application. It is done by creating the correct HTTP header:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">Auth-Roles => $aaaRoles</pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> For application BBB:</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code">Auth-Roles => $bbbRoles</pre>
|
|
|
|
<p>
|
|
Now the protected application can read in the header HTTP_AUTH_ROLES the role of the user.
|
|
</p>
|
|
|
|
<p>
|
|
<p><div class="notetip">
|
|
If you have more than one role for an application, you can join those roles with a separator (ex: ||):
|
|
</p>
|
|
<pre class="code">aaaRole => join(' || ', (map {/uid=(.*),ou=aaa.*/} (grep{/ou=aaa/} split(';',$ssoRoles)))</pre>
|
|
|
|
<p>
|
|
|
|
</div></p>
|
|
</p>
|
|
|
|
</div>
|
|
</div><!-- closes <div class="dokuwiki export">--> |