lemonldap-ng/doc/pages/documentation/1.9/rbac.html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
 lang="en" dir="ltr">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />

</head>
<body>
<div class="dokuwiki export">


<h1 class="sectionedit1" id="rbac_model">RBAC model</h1>
<div class="level1">

</div>
<!-- EDIT1 SECTION "RBAC model" [1-26] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control"  rel="nofollow">RBAC</a> stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.
</p>

<p>
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
</p>

</div>
<!-- EDIT2 SECTION "Presentation" [27-405] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

</div>
<!-- EDIT3 SECTION "Configuration" [406-433] -->
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>
<div class="level3">

<p>
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $description</pre>

<p>
If the user has these values inside its entry:
</p>
<pre class="file">description: user
description: admin</pre>

<p>
Then you got this value inside the Auth-Roles header:
</p>
<pre class="code">user; admin</pre>

</div>
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>
<div class="level3">

<p>
Now imagine the following DIT:
</p>
<ul>
<li class="level1"><div class="li"> dc=example,dc=com</div>
<ul>
<li class="level2"><div class="li"> ou=users</div>
<ul>
<li class="level3"><div class="li"> uid=coudot</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> ou=roles</div>
<ul>
<li class="level3"><div class="li"> ou=aaa</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
<li class="level3"><div class="li"> ou=bbb</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>

<p>
Roles are entries, below branches representing applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:
</p>
<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>
<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>
<span class="re0">objectClass</span>:<span class="re1"> top</span>
<span class="re0">cn</span>:<span class="re1"> admin</span>
<span class="re0">ou</span>:<span class="re1"> aaa</span>
<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>

<p>
A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.
</p>

<p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
</p>

</div>

<h4 id="gather_roles_in_session">Gather roles in session</h4>
<div class="level4">

<p>
Use the <a href="../../documentation/1.9/authldap.html#groups" class="wikilink1" title="documentation:1.9:authldap">LDAP group</a> configuration to store roles as groups in the user session:
</p>
<ul>
<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Object class: organizationalRole</div>
</li>
<li class="level1"><div class="li"> Target attribute: roleOccupant</div>
</li>
<li class="level1"><div class="li"> Searched attributes: cn ou</div>
</li>
</ul>

</div>

<h4 id="restrict_access_to_application">Restrict access to application</h4>
<div class="level4">

<p>
We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;aaa&#039;)</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;bbb&#039;)</pre>

</div>

<h4 id="send_role_to_application">Send role to application</h4>
<div class="level4">

<p>
It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/aaa/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/bbb/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>

</div>
</div><!-- closes <div class="dokuwiki export">-->
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"`
			`lang="en" dir="ltr">`

			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<title></title>`
			`<!-- metadata -->`
			`<meta name="generator" content="Offline" />`
			`<meta name="version" content="Offline 0.1" />`
			`<!-- style sheet links -->`
			`<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />`
			`<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />`
			`<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />`

			`</head>`
			`<body>`
			`<div class="dokuwiki export">`


Update documentation (new dokuwiki version) 11 years ago			`<h1 class="sectionedit1" id="rbac_model">RBAC model</h1>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<div class="level1">`

			`</div>`
Update documentation (new dokuwiki version) 11 years ago			`<!-- EDIT1 SECTION "RBAC model" [1-26] -->`
			`<h2 class="sectionedit2" id="presentation">Presentation</h2>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<div class="level2">`

			`<p>`
			`<a href="http://en.wikipedia.org/wiki/Role-based_access_control" class="urlextern" title="http://en.wikipedia.org/wiki/Role-based_access_control" rel="nofollow">RBAC</a> stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application.`
			`</p>`

			`<p>`
Update documentation (#909) 10 years ago			`As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`

			`</div>`
Update documentation (#909) 10 years ago			`<!-- EDIT2 SECTION "Presentation" [27-405] -->`
Update documentation (new dokuwiki version) 11 years ago			`<h2 class="sectionedit3" id="configuration">Configuration</h2>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<div class="level2">`

			`</div>`
Update documentation (#909) 10 years ago			`<!-- EDIT3 SECTION "Configuration" [406-433] -->`
Update documentation (new dokuwiki version) 11 years ago			`<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<div class="level3">`

			`<p>`
Update documentation (#909) 10 years ago			`Imagine you've set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (';' is the concatenation string):`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`
Update documentation (#909) 10 years ago			`<pre class="code">Auth-Roles => $description</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
			`If the user has these values inside its entry:`
			`</p>`
Update documentation (#909) 10 years ago			`<pre class="file">description: user`
			`description: admin</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
			`Then you got this value inside the Auth-Roles header:`
			`</p>`
Update documentation (new dokuwiki version) 11 years ago			`<pre class="code">user; admin</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`</div>`
Update documentation (#909) 10 years ago			`<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->`
Update documentation (new dokuwiki version) 11 years ago			`<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<div class="level3">`

			`<p>`
			`Now imagine the following DIT:`
			`</p>`
Update documentation (#909) 10 years ago			`<ul>`
			`<li class="level1"><div class="li"> dc=example,dc=com</div>`
			`<ul>`
			`<li class="level2"><div class="li"> ou=users</div>`
			`<ul>`
			`<li class="level3"><div class="li"> uid=coudot</div>`
			`</li>`
			`</ul>`
			`</li>`
			`<li class="level2"><div class="li"> ou=roles</div>`
			`<ul>`
			`<li class="level3"><div class="li"> ou=aaa</div>`
			`<ul>`
			`<li class="level4"><div class="li"> cn=admin</div>`
			`</li>`
			`<li class="level4"><div class="li"> cn=user</div>`
			`</li>`
			`</ul>`
			`</li>`
			`<li class="level3"><div class="li"> ou=bbb</div>`
			`<ul>`
			`<li class="level4"><div class="li"> cn=admin</div>`
			`</li>`
			`<li class="level4"><div class="li"> cn=user</div>`
			`</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</li>`
			`</ul>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
Update documentation (#909) 10 years ago			`Roles are entries, below branches representing applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`
Update documentation (#909) 10 years ago			`<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>`
			`<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>`
			`<span class="re0">objectClass</span>:<span class="re1"> top</span>`
			`<span class="re0">cn</span>:<span class="re1"> admin</span>`
			`<span class="re0">ou</span>:<span class="re1"> aaa</span>`
			`<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
Update documentation (#909) 10 years ago			`A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`

			`<p>`
Update documentation (#909) 10 years ago			`So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`

Update documentation (#909) 10 years ago			`</div>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
Update documentation (#909) 10 years ago			`<h4 id="gather_roles_in_session">Gather roles in session</h4>`
			`<div class="level4">`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
Update documentation (#909) 10 years ago			`Use the <a href="../../documentation/1.9/authldap.html#groups" class="wikilink1" title="documentation:1.9:authldap">LDAP group</a> configuration to store roles as groups in the user session:`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`
			`<ul>`
Update documentation (#909) 10 years ago			`<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</li>`
Update documentation (#909) 10 years ago			`<li class="level1"><div class="li"> Object class: organizationalRole</div>`
			`</li>`
			`<li class="level1"><div class="li"> Target attribute: roleOccupant</div>`
			`</li>`
			`<li class="level1"><div class="li"> Searched attributes: cn ou</div>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</li>`
			`</ul>`
Update documentation (#909) 10 years ago
			`</div>`

			`<h4 id="restrict_access_to_application">Restrict access to application</h4>`
			`<div class="level4">`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
Update documentation (#909) 10 years ago			`We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`
			`<ul>`
Update documentation (new dokuwiki version) 11 years ago			`<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</li>`
			`</ul>`
Update documentation (#909) 10 years ago			`<pre class="code">default => groupMatch($hGroups, 'ou', 'aaa')</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<ul>`
			`<li class="level1"><div class="li"> For application BBB:</div>`
			`</li>`
			`</ul>`
Update documentation (#909) 10 years ago			`<pre class="code">default => groupMatch($hGroups, 'ou', 'bbb')</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
Update documentation (#909) 10 years ago			`</div>`

			`<h4 id="send_role_to_application">Send role to application</h4>`
			`<div class="level4">`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`<p>`
Update documentation (#909) 10 years ago			`It is done by creating the correct HTTP header:`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</p>`
			`<ul>`
Update documentation (new dokuwiki version) 11 years ago			`<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`</li>`
			`</ul>`
Update documentation (#909) 10 years ago			`<pre class="code">Auth-Roles => ((grep{/aaa/} split(';',$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago			`<ul>`
			`<li class="level1"><div class="li"> For application BBB:</div>`
			`</li>`
			`</ul>`
Update documentation (#909) 10 years ago			`<pre class="code">Auth-Roles => ((grep{/bbb/} split(';',$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>`
Update doc.pl script to use the current documentation version (#442) 14 years ago
			`</div>`
Update documentation (new dokuwiki version) 11 years ago			`</div><!-- closes <div class="dokuwiki export">-->`