dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4d7a3b8a33
lemonldap-ng/doc/pages/documentation/current/rbac.html
Xavier Guimard 8af300995c Update doc
2018-03-08 13:29:31 +01:00

230 lines
8.7 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:rbac</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,rbac"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="rbac.html"/>
<link rel="contents" href="rbac.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:rbac","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</a></div></li>
<li class="level2"><div class="li"><a href="#roles_as_entries_in_the_directory">Roles as entries in the directory</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#gather_roles_in_session">Gather roles in session</a></div></li>
<li class="level3"><div class="li"><a href="#restrict_access_to_application">Restrict access to application</a></div></li>
<li class="level3"><div class="li"><a href="#send_role_to_application">Send role to application</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="rbac_model">RBAC model</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "RBAC model" [1-26] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control" rel="nofollow">RBAC</a> stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.
</p>
<p>
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [27-405] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [406-433] -->
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>
<div class="level3">
<p>
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $description</pre>
<p>
If the user has these values inside its entry:
</p>
<pre class="file">description: user
description: admin</pre>
<p>
Then you got this value inside the Auth-Roles header:
</p>
<pre class="code">user; admin</pre>
</div>
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>
<div class="level3">
<p>
Now imagine the following DIT:
</p>
<ul>
<li class="level1"><div class="li"> dc=example,dc=com</div>
<ul>
<li class="level2"><div class="li"> ou=users</div>
<ul>
<li class="level3"><div class="li"> uid=coudot</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> ou=roles</div>
<ul>
<li class="level3"><div class="li"> ou=aaa</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
<li class="level3"><div class="li"> ou=bbb</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>
Roles are entries, below branches representing applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:
</p>
<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>
<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>
<span class="re0">objectClass</span>:<span class="re1"> top</span>
<span class="re0">cn</span>:<span class="re1"> admin</span>
<span class="re0">ou</span>:<span class="re1"> aaa</span>
<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>
<p>
A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.
</p>
<p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
</p>
</div>
<h4 id="gather_roles_in_session">Gather roles in session</h4>
<div class="level4">
<p>
Use the <a href="authldap.html#groups" class="wikilink1" title="documentation:2.0:authldap">LDAP group</a> configuration to store roles as groups in the user session:
</p>
<ul>
<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Object class: organizationalRole</div>
</li>
<li class="level1"><div class="li"> Target attribute: roleOccupant</div>
</li>
<li class="level1"><div class="li"> Searched attributes: cn ou</div>
</li>
</ul>
</div>
<h4 id="restrict_access_to_application">Restrict access to application</h4>
<div class="level4">
<p>
We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;aaa&#039;)</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;bbb&#039;)</pre>
</div>
<h4 id="send_role_to_application">Send role to application</h4>
<div class="level4">
<p>
It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/aaa/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/bbb/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
</div>
<!-- EDIT5 SECTION "Roles as entries in the directory" [1013-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink