Appendix B: Setting Up Authentication and Authorization

Role computation

Role computation techniques are used to list roles for both authenticated and unauthenticated users. The LDAP provider performs access control using roles, and supports three types of role constructs; each may be used independently, or all three may be used at the same time:

User-level role attributes – this is the most efficient role definition format, and is supported by SunONE and ActiveDirectory. Using this technique, a user’s roles are enumerated by a read-only attribute in the user’s LDAP record, which is managed by a directory server. The advantages of this technique are the efficiency with which role memberships can be queried, and the ease with which they can be managed using the native LDAP server’s management tools. To use this option, configure the following LDAP properties, which are described in Table B-1:
- RoleFilter
- RoleNameAttribute
- RoleSearchBase
- RoleScope
- UserRoleMembershipAttributes
LDAP group role definitions – supported by almost all LDAP servers and a common construct in older LDAP servers. This technique may be useful if you want to use the same LDAP schema across multiple LDAP server types. Unlike the user-level role attributes, LDAP group memberships are stored and checked on a group-by-group basis. Each defined group has an attribute that lists all the members in the group. Groups are typically in one of two object classes, either groupofnames or groupofuniquenames.

To use this option, configure the following properties in the csi.xml file:
- RoleFilter
- RoleMemberAttributes
- RoleNameAttribute
- RoleScope
- RoleSearchBase
See Table B-1 for more information. The value of RoleMemberAttributes is a comma-delimited list of attributes, each of which defines members of the group. An example value for this property is “uniquemember,member,” which represents the membership attributes in the groupofnames and groupofuniquenames object classes.
Free-form role definitions – unique in that the role itself does not have an entry in the LDAP data store. To create a free-form role definition, begin by defining one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes—which can have multiple values—are added as roles of which the user is a member. This technique requires less administrative overhead than either of the two previously described techniques.

As an example, assign a free-form role definition that is equivalent to the department number of a user. A role check performed on a specific department number is satisfied only by users who have the appropriate department number attribute value. To use free-form role definitions, configure the UserFreeformRoleMembershipAttributes property—see Table B-1.

Caveats when using Microsoft ActiveDirectory LDAP servers

View this book as PDF