<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
<title>Lemonldap::NG documentation: 4.2-Configure-LDAP-schema.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HLDAPSchemaforadvancedaccessrules">LDAP
Schema for advanced access rules</span></h2>
<p class="paragraph"></p>
<ul>
<li><a href="#HTopic">Topic</a></li>
<li>
<a href="#HLDAPSchema">LDAP Schema</a>
<ul>
<li><a href="#HOIDprefix">OID prefix</a></li>
<li><a href="#HOpenLDAPschema">OpenLDAP schema</a></li>
</ul>
</li>
<li><a href="#HHowtouseitinLemonLDAP3A3ANG">How to use it in
LemonLDAP::NG</a></li>
</ul>
<h3 class="heading-1-1"><span id="HTopic">Topic</span></h3>
<p class="paragraph"></p>LemonLDAP::NG is powerfull WebSSO engine who
manage access trough user's attributes stored in an LDAP directory.
<p class="paragraph"></p>We can use standards attributes like uid, cn or
mail to describe access rules to protected web applications.
<p class="paragraph"></p>But sometimes we need more information! For
example:
<ul class="star">
<li>An application name (to allow access by applications and not by
group of users)</li>
<li>A start date and an end date (to open or close the service even the
entry already exists)</li>
<li>Logon hours (allowed hours and day of the week)</li>
<li>One or more roles (to send to the protected applications)</li>
</ul>
<h3 class="heading-1-1"><span id="HLDAPSchema">LDAP Schema</span></h3>
<h4 class="heading-1-1-1"><span id="HOIDprefix">OID prefix</span></h4>
<p class="paragraph"></p>We plan to use this prefix:
1.3.6.1.4.1.10943.10.2.
<p class="paragraph"></p>The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA
(See <span class="wikiexternallink"><a href=
"http://www.iana.org/assignments/enterprise-numbers">http://www.iana.org/assignments/enterprise-numbers</a></span>).
<h4 class="heading-1-1-1"><span id="HOpenLDAPschema">OpenLDAP
schema</span></h4>
<p class="paragraph"></p>Just add this file to OpenLDAP schemas:
<p class="paragraph"></p>
<div class="code">
<pre>
#=======================================
# Schema <span class="java-keyword">for</span> advanced SSO access rules
#
# Designed <span class="java-keyword">for</span> OpenLDAP software
# <span class="nobr"><a href=
"http://www.openldap.org">http://www.openldap.org</a></span>
#
# Part of LemonLDAP::NG project
# <span class="nobr"><a href=
"http://lemonldap.ow2.org">http://lemonldap.ow2.org</a></span>
#
# Author: Clement OUDOT
#=======================================<br /><br />#=======================================
# OID Prefix
# Registered in IANA database
#=======================================
objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2<br /><br />#=======================================
# Attributes
#=======================================<br /><br /># Application Name
attributetype ( SSOOID:1:1
NAME 'ssoName'
DESC 'An application name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Roles
attributetype ( SSOOID:1:2
NAME 'ssoRoles'
DESC 'One or more roles'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Time profile
attributetype ( SSOOID:1:3
NAME 'ssoLogonsHours'
DESC 'Logons hours'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Start date
attributetype ( SSOOID:1:4
NAME 'ssoStartDate'
DESC 'Start date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># End date
attributetype ( SSOOID:1:5
NAME 'ssoEndDate'
DESC 'End date'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br />#=======================================
# ObjectClasses
#=======================================<br /><br /># SSO user
objectClass ( SSOOID:2:1
NAME 'ssoUser'
DESC 'SSO extended informations <span class=
"java-keyword">for</span> a user'
SUP top
AUXILIARY
MAY ( ssoName $ ssoRoles $ ssoLogonHours $
ssoStartDate $ ssoEndDate ) )
</pre>
</div>
<h3 class="heading-1-1"><span id="HHowtouseitinLemonLDAP3A3ANG">How to use
it in LemonLDAP::NG</span></h3>
<p class="paragraph"></p>In LemonLDAP::NG Manager, go to General
Parameters > Exported Variables and add new variables:
<ul class="star">
<li>ssoName => $ssoName</li>
<li>ssoRoles => $ssoRoles</li>
<li>ssoLogonHours => $ssoLogonHours</li>
<li>ssoStartDate => $ssoStartDate</li>
<li>ssoEndDate => $ssoEndDate</li>
</ul>Save and reload Apache and Handler to get the configuration updated.
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>
