<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.2-Configure-LDAP-schema.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HLDAPSchemaforadvancedaccessrules">LDAP Schema for advanced access rules</span></h2> <p class="paragraph"></p> <ul> <li><a href="#HTopic">Topic</a></li> <li> <a href="#HLDAPSchema">LDAP Schema</a> <ul> <li><a href="#HOIDprefix">OID prefix</a></li> <li><a href="#HOpenLDAPschema">OpenLDAP schema</a></li> </ul> </li> <li><a href="#HHowtouseitinLemonLDAP3A3ANG">How to use it in LemonLDAP::NG</a></li> </ul> <h3 class="heading-1-1"><span id="HTopic">Topic</span></h3> <p class="paragraph"></p>LemonLDAP::NG is powerfull WebSSO engine who manage access trough user's attributes stored in an LDAP directory. <p class="paragraph"></p>We can use standards attributes like uid, cn or mail to describe access rules to protected web applications. <p class="paragraph"></p>But sometimes we need more information! For example: <ul class="star"> <li>An application name (to allow access by applications and not by group of users)</li> <li>A start date and an end date (to open or close the service even the entry already exists)</li> <li>Logon hours (allowed hours and day of the week)</li> <li>One or more roles (to send to the protected applications)</li> </ul> <h3 class="heading-1-1"><span id="HLDAPSchema">LDAP Schema</span></h3> <h4 class="heading-1-1-1"><span id="HOIDprefix">OID prefix</span></h4> <p class="paragraph"></p>We plan to use this prefix: 1.3.6.1.4.1.10943.10.2. <p class="paragraph"></p>The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See <span class="wikiexternallink"><a href= "http://www.iana.org/assignments/enterprise-numbers">http://www.iana.org/assignments/enterprise-numbers</a></span>). <h4 class="heading-1-1-1"><span id="HOpenLDAPschema">OpenLDAP schema</span></h4> <p class="paragraph"></p>Just add this file to OpenLDAP schemas: <p class="paragraph"></p> <div class="code"> <pre> #======================================= # Schema <span class="java-keyword">for</span> advanced SSO access rules # # Designed <span class="java-keyword">for</span> OpenLDAP software # <span class="nobr"><a href= "http://www.openldap.org">http://www.openldap.org</a></span> # # Part of LemonLDAP::NG project # <span class="nobr"><a href= "http://lemonldap.ow2.org">http://lemonldap.ow2.org</a></span> # # Author: Clement OUDOT #=======================================<br /><br />#======================================= # OID Prefix # Registered in IANA database #======================================= objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2<br /><br />#======================================= # Attributes #=======================================<br /><br /># Application Name attributetype ( SSOOID:1:1 NAME 'ssoName' DESC 'An application name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Roles attributetype ( SSOOID:1:2 NAME 'ssoRoles' DESC 'One or more roles' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Time profile attributetype ( SSOOID:1:3 NAME 'ssoLogonsHours' DESC 'Logons hours' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># Start date attributetype ( SSOOID:1:4 NAME 'ssoStartDate' DESC 'Start date' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br /># End date attributetype ( SSOOID:1:5 NAME 'ssoEndDate' DESC 'End date' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br /><br />#======================================= # ObjectClasses #=======================================<br /><br /># SSO user objectClass ( SSOOID:2:1 NAME 'ssoUser' DESC 'SSO extended informations <span class= "java-keyword">for</span> a user' SUP top AUXILIARY MAY ( ssoName $ ssoRoles $ ssoLogonHours $ ssoStartDate $ ssoEndDate ) ) </pre> </div> <h3 class="heading-1-1"><span id="HHowtouseitinLemonLDAP3A3ANG">How to use it in LemonLDAP::NG</span></h3> <p class="paragraph"></p>In LemonLDAP::NG Manager, go to General Parameters > Exported Variables and add new variables: <ul class="star"> <li>ssoName => $ssoName</li> <li>ssoRoles => $ssoRoles</li> <li>ssoLogonHours => $ssoLogonHours</li> <li>ssoStartDate => $ssoStartDate</li> <li>ssoEndDate => $ssoEndDate</li> </ul>Save and reload Apache and Handler to get the configuration updated. </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>