Hi Helmut,
In answer to your questions:
Helmut wrote:
> Hello,
> I'm currently evaluating ESOE for a project I'm working on. After
> installing it and securing a ressource via SSO I'm trying to
> understand how the policy configuration/role management with a ldap
> directory is working. In http://esoeproject.org/confluence/display/eu/ESOE+Features
> you're writing, that you are supporting even "distributed" ldap
> systems and roles - therefore a (simple) RBAC system should be
> implementable by ESOE. But I didn't find any information how this
> could be achieved?
> I'm new to ldap too - currently I implemented roles as
> groupOfUniqueNames, which have (muliple) uniqueMembers, referencing
> the users for this role. Are there any assumptions about the ldap
> layout?
In a word, yes. The default plugin architecture for the ESOE allows user
attributes to be aggregated from multiple sources. The assumption here
is that the attribute processor knows how to retrieve information about
the logged in user. This is determined by the user DN setup when
configuring the LDAP plugin for ESOE. If I understand what you're trying
to do correctly, what needs to happen to implement RBAC for your
purposes, it to associate the required roles with the user entry rather
than a distinct LDAP group. The reason for this is that the ESOE will
know how to retrieve these role attributes because you have configured
it to do so, whereas there is no way to tell the ESOE how to search an
LDAP source for a particular group member (you could possibly write a
plugin to do this, but I would not recommend it as I can't think of a
way to do it off the top of my head which would not be processor
intensive).
So an example of what you might have in an LDAP entry would be: (note
that the role attributes i'm using are just an example and there may be
a valid RBAC schema to use for population of attributes instead).
uid=someuser,ou=someorganisation
email: s...@email.org
userRole: user
userRole: administrator
...
Then you would simply create a policy to allow users with this role
access to some specified resource. The ESOE will know about the
populated attributes of the user and attempt to match them against the
policy when a user tries to access the resource.
> And a second question: In your policy examples your referencing
> username, email etc. as user attributes. I figured out that a mapping
> from the ldap attributes to these names is done in a sessiondata.xml -
> but I don't know where this configuration file has to be saved and/or
> referenced.
The mapping is done via the esoemanager web interface. Clicking on "Edit
Released Attributes" will allow you to change these mappings (although
the manager interface is currently being upgraded, so the current one is
a simple text editor of the xml). So for example, for the above you
could map:
<Attribute Identifier="myRbacRole" Type="String" Singleton="true">
<Handler LocalIdentifier="userRole" Name="LDAPHandler" />
</Attribute>
You can change or add localIdentifiers (The attribute in the LDAP
source) if you wish to map LDAP attributes to ESOE centric attributes
for attribute aggregation from multiple sources. For example, if you
have two LDAP data sources, one which had userRole as the role you wish
to use, and another which had userGroup, which you also wanted to use
for RBAC, you could aggregate them into one attribute like so:
<Attribute Identifier="myRbacRole" Type="String" Singleton="true">
<Handler LocalIdentifier="userRole" Name="LDAPHandler" />
<Handler LocalIdentifier="userGroup" Name="LDAPHandler" />
</Attribute>
Then you would have a policy that included a rule with the attribute for
enforcement, like:
<Rule Effect="Permit" RuleId="accessOne">
<Description>
Allows users with myRbacRole of "user" access to ..
something ...
</Description>
<Target>
<Resources>
<Resource>
<AttributeValue>/something.*</AttributeValue>
</Resource>
</Resources>
</Target>
<Condition>
<Apply FunctionId="string-equal">
<SubjectAttributeDesignator AttributeId="myRbacRole" />
<AttributeValue>user</AttributeValue>
</Apply>
</Condition>
</Rule>
Thanks for trying ESOE and I hope this has answered your questions.
Please feel free to submit any more questions you may have. I'd also
suggest you read up on LDAP and investigate various schema's that may
assist you in what you are trying do achieve.
Regards,
Andre
> Beside these questions, the project setup and documentation is really
> great! :)
> regards,
> helmut
