File: rbac.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,024 kB
  • sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (229 lines) | stat: -rw-r--r-- 8,869 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
 
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:rbac</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,rbac"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="rbac.html"/>
<link rel="contents" href="rbac.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:rbac","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</a></div></li>
<li class="level2"><div class="li"><a href="#roles_as_entries_in_the_directory">Roles as entries in the directory</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#gather_roles_in_session">Gather roles in session</a></div></li>
<li class="level3"><div class="li"><a href="#restrict_access_to_application">Restrict access to application</a></div></li>
<li class="level3"><div class="li"><a href="#send_role_to_application">Send role to application</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="rbac_model">RBAC model</h1>
<div class="level1">

</div>
<!-- EDIT1 SECTION "RBAC model" [1-26] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control"  rel="nofollow">RBAC</a> stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.
</p>

<p>
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
</p>

</div>
<!-- EDIT2 SECTION "Presentation" [27-405] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

</div>
<!-- EDIT3 SECTION "Configuration" [406-433] -->
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>
<div class="level3">

<p>
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $description</pre>

<p>
If the user has these values inside its entry:
</p>
<pre class="file">description: user
description: admin</pre>

<p>
Then you got this value inside the Auth-Roles header:
</p>
<pre class="code">user; admin</pre>

</div>
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>
<div class="level3">

<p>
Now imagine the following DIT:
</p>
<ul>
<li class="level1"><div class="li"> dc=example,dc=com</div>
<ul>
<li class="level2"><div class="li"> ou=users</div>
<ul>
<li class="level3"><div class="li"> uid=coudot</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> ou=roles</div>
<ul>
<li class="level3"><div class="li"> ou=aaa</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
<li class="level3"><div class="li"> ou=bbb</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>

<p>
Roles are entries, below branches representing applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:
</p>
<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>
<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>
<span class="re0">objectClass</span>:<span class="re1"> top</span>
<span class="re0">cn</span>:<span class="re1"> admin</span>
<span class="re0">ou</span>:<span class="re1"> aaa</span>
<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>

<p>
A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.
</p>

<p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
</p>

</div>

<h4 id="gather_roles_in_session">Gather roles in session</h4>
<div class="level4">

<p>
Use the <a href="authldap.html#groups" class="wikilink1" title="documentation:1.9:authldap">LDAP group</a> configuration to store roles as groups in the user session:
</p>
<ul>
<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Object class: organizationalRole</div>
</li>
<li class="level1"><div class="li"> Target attribute: roleOccupant</div>
</li>
<li class="level1"><div class="li"> Searched attributes: cn ou</div>
</li>
</ul>

</div>

<h4 id="restrict_access_to_application">Restrict access to application</h4>
<div class="level4">

<p>
We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;aaa&#039;)</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;bbb&#039;)</pre>

</div>

<h4 id="send_role_to_application">Send role to application</h4>
<div class="level4">

<p>
It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/aaa/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/bbb/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>

</div>
<!-- EDIT5 SECTION "Roles as entries in the directory" [1013-] --></div>
</body>
</html>