207 lines
6.2 KiB
HTML
207 lines
6.2 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
|
|
|
|
<title>Lemonldap::NG documentation: 4.2-Configure-LDAP-schema.html</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
<style type="text/css">
|
|
/*<![CDATA[*/
|
|
body{
|
|
background: #ddd;
|
|
font-family: sans-serif;
|
|
font-size: 11pt;
|
|
padding: 0 50px;
|
|
}
|
|
div.main-content{
|
|
padding: 10px;
|
|
background: #fff;
|
|
border: 2px #ccc solid;
|
|
}
|
|
a{
|
|
text-decoration: none;
|
|
}
|
|
p.footer{
|
|
text-align: center;
|
|
margin: 5px 0 0 0;
|
|
}
|
|
.heading-1{
|
|
text-align: center;
|
|
color: orange;
|
|
font-variant: small-caps;
|
|
font-size: 20pt;
|
|
}
|
|
.heading-1-1{
|
|
color: orange;
|
|
font-size: 14pt;
|
|
border-bottom: 2px #ccc solid;
|
|
}
|
|
pre{
|
|
background: #eee;
|
|
border: 2px #ccc solid;
|
|
padding: 5px;
|
|
border-left: 10px #ccc solid;
|
|
}
|
|
ul.star li{
|
|
list-style-type: square;
|
|
}
|
|
/*]]>*/
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id="HLDAPSchemaforadvancedaccessrules">LDAP
|
|
Schema for advanced access rules</span></h2>
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li><a href="#HTopic">Topic</a></li>
|
|
|
|
<li>
|
|
<a href="#HLDAPSchema">LDAP Schema</a>
|
|
|
|
<ul>
|
|
<li><a href="#HOIDprefix">OID prefix</a></li>
|
|
|
|
<li><a href="#HOpenLDAPschema">OpenLDAP schema</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HHowtouseitinLemonLDAP3A3ANG">How to use it in
|
|
LemonLDAP::NG</a></li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HTopic">Topic</span></h3>
|
|
|
|
<p class="paragraph"></p>LemonLDAP::NG is powerfull WebSSO engine who
|
|
manage access trough user's attributes stored in an LDAP directory.
|
|
|
|
<p class="paragraph"></p>We can use standards attributes like uid, cn or
|
|
mail to describe access rules to protected web applications.
|
|
|
|
<p class="paragraph"></p>But sometimes we need more information! For
|
|
example:
|
|
|
|
<ul class="star">
|
|
<li>An application name (to allow access by applications and not by
|
|
group of users)</li>
|
|
|
|
<li>A start date and an end date (to open or close the service even the
|
|
entry already exists)</li>
|
|
|
|
<li>Logon hours (allowed hours and day of the week)</li>
|
|
|
|
<li>One or more roles (to send to the protected applications)</li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HLDAPSchema">LDAP Schema</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HOIDprefix">OID prefix</span></h4>
|
|
|
|
<p class="paragraph"></p>We plan to use this prefix:
|
|
1.3.6.1.4.1.10943.10.2.
|
|
|
|
<p class="paragraph"></p>The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA
|
|
(See <span class="wikiexternallink"><a href=
|
|
"http://www.iana.org/assignments/enterprise-numbers">http://www.iana.org/assignments/enterprise-numbers</a></span>).
|
|
|
|
<h4 class="heading-1-1-1"><span id="HOpenLDAPschema">OpenLDAP
|
|
schema</span></h4>
|
|
|
|
<p class="paragraph"></p>Just add this file to OpenLDAP schemas:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
#=======================================
|
|
# Schema <span class="java-keyword">for</span> advanced SSO access rules
|
|
#
|
|
# Designed <span class="java-keyword">for</span> OpenLDAP software
|
|
# <span class="nobr"><a href=
|
|
"http://www.openldap.org">http://www.openldap.org</a></span>
|
|
#
|
|
# Part of LemonLDAP::NG project
|
|
# <span class="nobr"><a href=
|
|
"http://lemonldap.ow2.org">http://lemonldap.ow2.org</a></span>
|
|
#
|
|
# Author: Clement OUDOT
|
|
#=======================================<br /><br />#=======================================
|
|
# OID Prefix
|
|
# Registered in IANA database
|
|
#=======================================
|
|
objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2<br /><br />#=======================================
|
|
# Attributes
|
|
#=======================================<br /><br /># Application Name
|
|
attributetype ( SSOOID:1:1
|
|
NAME 'ssoName'
|
|
DESC 'An application name'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Roles
|
|
attributetype ( SSOOID:1:2
|
|
NAME 'ssoRoles'
|
|
DESC 'One or more roles'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Time profile
|
|
attributetype ( SSOOID:1:3
|
|
NAME 'ssoLogonsHours'
|
|
DESC 'Logons hours'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Start date
|
|
attributetype ( SSOOID:1:4
|
|
NAME 'ssoStartDate'
|
|
DESC 'Start date'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># End date
|
|
attributetype ( SSOOID:1:5
|
|
NAME 'ssoEndDate'
|
|
DESC 'End date'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br />#=======================================
|
|
# ObjectClasses
|
|
#=======================================<br /><br /># SSO user
|
|
objectClass ( SSOOID:2:1
|
|
NAME 'ssoUser'
|
|
DESC 'SSO extended informations <span class=
|
|
"java-keyword">for</span> a user'
|
|
SUP top
|
|
AUXILIARY
|
|
MAY ( ssoName $ ssoRoles $ ssoLogonHours $
|
|
ssoStartDate $ ssoEndDate ) )
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id="HHowtouseitinLemonLDAP3A3ANG">How to use
|
|
it in LemonLDAP::NG</span></h3>
|
|
|
|
<p class="paragraph"></p>In LemonLDAP::NG Manager, go to General
|
|
Parameters > Exported Variables and add new variables:
|
|
|
|
<ul class="star">
|
|
<li>ssoName => $ssoName</li>
|
|
|
|
<li>ssoRoles => $ssoRoles</li>
|
|
|
|
<li>ssoLogonHours => $ssoLogonHours</li>
|
|
|
|
<li>ssoStartDate => $ssoStartDate</li>
|
|
|
|
<li>ssoEndDate => $ssoEndDate</li>
|
|
</ul>Save and reload Apache and Handler to get the configuration updated.
|
|
</div>
|
|
|
|
<p class="footer"><a href="index.html">Index</a></p>
|
|
</body>
|
|
</html>
|