dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9ae8fd9f83
lemonldap-ng/po-doc/fr/pages/documentation/current/rbac.html
Xavier Guimard 79e65f5607 Update documentation
2017-02-07 16:35:26 +00:00

245 lines
8.7 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8" />
<title>documentation:2.0:rbac</title><!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else --><!-- //endif -->
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,rbac"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="rbac.html"/>
<link rel="contents" href="rbac.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:rbac","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script><!-- //endif -->
</head>
<body>
<div class="dokuwiki export container"><!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#roles_as_simple_values_of_a_user_attribute">Rôles comme simple valeur d'attribut utilisateur</a></div></li>
<li class="level2"><div class="li"><a href="#roles_as_entries_in_the_directory">Rôles comme entrée d'annuaire</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#gather_roles_in_session">Gather roles in session</a></div></li>
<li class="level3"><div class="li"><a href="#restrict_access_to_application">Restrict access to application</a></div></li>
<li class="level3"><div class="li"><a href="#send_role_to_application">Send role to application</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div><!-- TOC END -->
<h1 class="sectionedit1" id="rbac_model">Modèle RBAC</h1>
<div class="level1">
</div><!-- EDIT1 SECTION "RBAC model" [1-26] -->
<h2 class="sectionedit2" id="presentation">Présentation</h2>
<div class="level2">
<p>
<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control" rel="nofollow">RBAC</a> signifie contrôle d'accès basé sur les rôles (Role Based Access Control). Celà signifie qu'on gère les autorisations d'accès aux applications en examinant le(s) rôle(s) de l'utilisateur et en fournissant ce(s) rôle(s) à l'application.
</p>
<p>
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
</p>
</div><!-- EDIT2 SECTION "Presentation" [27-405] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div><!-- EDIT3 SECTION "Configuration" [406-433] -->
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Rôles comme simple valeur d'attribut utilisateur</h3>
<div class="level3">
<p>
Imagine you've set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (';' is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $description</pre>
<p>
Si l'utilisateur dispose de ces valeurs dans son entrée :
</p>
<pre class="file">description: user
description: admin</pre>
<p>
On les obtient dans l'en-tête Auth-Roles :
</p>
<pre class="code">user; admin</pre>
</div><!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Rôles comme entrée d'annuaire</h3>
<div class="level3">
<p>
On suppose le schéma suivant :
</p>
<ul>
<li class="level1"><div class="li"> dc=example,dc=com</div>
<ul>
<li class="level2"><div class="li"> ou=users</div>
<ul>
<li class="level3"><div class="li"> uid=coudot</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> ou=roles</div>
<ul>
<li class="level3"><div class="li"> ou=aaa</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
<li class="level3"><div class="li"> ou=bbb</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>
Les rôles sont des entrées, les branches subordonnées représentant les applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:
</p>
<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>
<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>
<span class="re0">objectClass</span>:<span class="re1"> top</span>
<span class="re0">cn</span>:<span class="re1"> admin</span>
<span class="re0">ou</span>:<span class="re1"> aaa</span>
<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>
<p>
A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.
</p>
<p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentification Autorisation Traçabilité">AAA</abbr>”.
</p>
</div>
<h4 id="gather_roles_in_session">Gather roles in session</h4>
<div class="level4">
<p>
Use the <a href="authldap.html#groups" class="wikilink1" title="documentation:2.0:authldap">LDAP group</a> configuration to store roles as groups in the user session:
</p>
<ul>
<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Object class: organizationalRole</div>
</li>
<li class="level1"><div class="li"> Target attribute: roleOccupant</div>
</li>
<li class="level1"><div class="li"> Searched attributes: cn ou</div>
</li>
</ul>
</div>
<h4 id="restrict_access_to_application">Restrict access to application</h4>
<div class="level4">
<p>
We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.
</p>
<ul>
<li class="level1"><div class="li"> Pour l'application AAA :</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, 'ou', 'aaa')</pre>
<ul>
<li class="level1"><div class="li"> Pour l'application BBB :</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, 'ou', 'bbb')</pre>
</div>
<h4 id="send_role_to_application">Send role to application</h4>
<div class="level4">
<p>
It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> Pour l'application AAA :</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/aaa/} split(';',$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
<ul>
<li class="level1"><div class="li"> Pour l'application BBB :</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/bbb/} split(';',$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
</div><!-- EDIT5 SECTION "Roles as entries in the directory" [1013-] -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink