LDAP Schema for advanced access rules
Topic
LemonLDAP::NG is powerfull WebSSO engine who manage access trough user's attributes stored in an LDAP directory.
We can use standards attributes like uid, cn or mail to describe access rules to protected web applications.
But sometimes we need more information! For example:
- An application name (to allow access by applications and not by group of users)
- A start date and an end date (to open or close the service even the entry already exists)
- A time profile (allowed hours and day of the week)
- One or more roles (to send to the protected applications)
LDAP Schema
OID prefix
We plan to use this prefix: 1.3.6.1.4.1.10943.10.2.
The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See
http://www.iana.org/assignments/enterprise-numbers).
OpenLDAP schema
Just add this file to OpenLDAP schemas:
#=======================================
# Schema for advanced SSO access rules
#
# Designed for OpenLDAP software
# http://www.openldap.org
#
# Part of LemonLDAP::NG project
# http://lemonldap.ow2.org
#
# Author: Clement OUDOT
#=======================================#=======================================
# OID Prefix
# Registered in IANA database
#=======================================
objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2#=======================================
# Attributes
#=======================================# Application Name
attributetype ( SSOOID:1:1
NAME 'ssoName'
DESC 'An application name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )# Roles
attributetype ( SSOOID:1:2
NAME 'ssoRoles'
DESC 'One or more roles'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )# Time profile
attributetype ( SSOOID:1:3
NAME 'ssoTimeProfile'
DESC 'A time profile'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )# Start date
attributetype ( SSOOID:1:4
NAME 'ssoStartDate'
DESC 'Start date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )# End date
attributetype ( SSOOID:1:5
NAME 'ssoEndDate'
DESC 'End date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )#=======================================
# ObjectClasses
#=======================================# SSO user
objectClass ( SSOOID:2:1
NAME 'ssoUser'
DESC 'SSO extended informations for a user'
SUP top
AUXILIARY
MAY ( ssoName $ ssoRoles $ ssoTimeProfile $
ssoStartDate $ ssoEndDate ) )How to use it in LemonLDAP::NG
Specify new attributes in exported variables
In LemonLDAP::NG Manager, go to General Parameters > Exported Variables and add new variables:
- ssoName => $ssoName
- ssoRoles => $ssoRoles
- ssoTimeProfile => $ssoTimeProfile
- ssoStartDate => $ssoStartDate
- ssoEndDate => $ssoEndDate
Save and reload Apache and Handler to get the configuration updated.
Habilitation based on an application name
If a user has got the ssoName attribute, with each value being the name of a protected application, you can configure the rules of virtualhosts by checking the application name.
Go in LemonLDAP::NG Manager, choose your virtualhost (for example test.acme.com), and set the default rule to accept users if they have "acme" has one of the value of their attribute "ssoName":
default => $ssoName =~ /\bacme\b/
Save and reload.
Now you can decide who access this application just by adding or removing a value inside the entry of the users.
Habilitation based on a date
If the user has got ssoStartDate and/or ssoEndDate, you can configure rules to compare the current date to the start/end dates.
Habilitation based on a period
If the user has got ssoTimeProfile, you can configure rules to compare the current time and compare it to the time profile.
Send a role to a protected application
Roles as simple values of a user attribute
Imagine you've set your directory schema to store roles as values of ssoRoles, an attribute of the user. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatened values (';' is the concatenation string):
If the user has these values inside its entry:
ssoRoles: user
ssoRoles: admin
Then you got this value inside the Auth-Roles header:
Roles as entries in the directory
Now imagine the following DIT:
Roles are entries, below branchs representing applications. Each user has a ssoRoles attributes, which values are the DN of the corresponding roles. With this oragnization, you can set roles to user within specific application.
In the schema above, the user has the following values:
ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
So he is "user" on application "BBB" and "admin" on application "AAA".
Now we have to send to right role to the right application trough LemonLDAP::NG.
First step: create a rule to grant access only if the user has a role in the application:
default => $ssoRoles =~ /ou=aaa,ou=roles/
default => $ssoRoles =~ /ou=bbb,ou=roles/
Second step: get the role name for the application. We will use the macros to do that. Create two macros (inside General Parameters > Macros):
aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]These regular expressions read the 'ou' value of the DN of the role of the concerned application. This work if the user has only one role per application.
Third step: provide the role to the application. It is done by creating the correct HTTP header:
Now the protected application can read in the header HTTP_AUTH_ROLES the role of the user.
PDF
History
