Menu

#16 Allow dynamic mapping of roles via LDAP

open-accepted
nobody
Operating (2)
5
2011-07-22
2011-05-31
Hugh Kelley
No

Use LDAP group membership to determine PHP-CMDB role.

See function ldap_api_get_role ( $dn ) in ldap_api.ini.php and login.inc.php (attached).

Add the following to config.inc.php:

$g_auth_ldap_role_filter = "memberof:1.2.840.113556.1.4.1941:=";
$g_auth_ldap_role_map = array( // Corresponds to $s_enum_roles, first match wins
6 => "CN=Apps.IT-CMDB.Admin,OU=Access Groups,OU=RBAC,DC=xyz,DC=net",
4 => "CN=Apps.IT-CMDB.Designer,OU=Access Groups,OU=RBAC,DC=xyz,DC=net",
2 => "CN=Apps.IT-CMDB.Operator,OU=Access Groups,OU=RBAC,DC=xyz,DC=net"
// Viewer access is the default
);

Default config:

$g_auth_ldap_role_filter = "memberof=";
$g_auth_ldap_role_map = array();

Discussion

  • Hugh Kelley

    Hugh Kelley - 2011-05-31
     
    ldap_api.inc.php

  • Hugh Kelley

    Hugh Kelley - 2011-05-31
     
    login.inc.php

  • Hugh Kelley

    Hugh Kelley - 2011-06-01

    Thinking more about this, I'm wondering how this feature would fit in with the ldap_api_check_group function.

    Is there an "allow all authenticated users" config option (other than the group function)?

     

  • Michael Scheibe

    Michael Scheibe - 2011-06-02

    I will review this.

    And no, currently the empty config option "g_auth_ldap_group_base" means "allow all authenticated users" only.

     

  • Michael Scheibe

    Michael Scheibe - 2011-06-02
    • status: open --> pending
     

  • SourceForge Robot

    SourceForge Robot - 2011-06-16
    • status: pending --> closed
     

  • SourceForge Robot

    SourceForge Robot - 2011-06-16

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     

  • Michael Scheibe

    Michael Scheibe - 2011-06-17
    • status: closed --> open
     

  • Michael Scheibe

    Michael Scheibe - 2011-06-17

    I think, we should implement both ways. But to do so, we need an appropriate configuration. Something like this:

    # role navigation direction
    #
    # available values: user, group (default: group)
    #
    $g_auth_ldap_role_member_mode = 'group';

    # role member attribute
    #
    #
    $g_auth_ldap_role_attr = '';

    # role member map
    #
    # Corresponds to $s_enum_roles, first match wins
    # Viewer access is the default
    #
    # Use ROLE_xxx contants, to make it human readable
    #
    $g_auth_ldap_role_map = array( //
    ROLE_ADMIN => "CN=Apps.IT-CMDB.Admin,OU=Access Groups,OU=RBAC,DC=xyz,DC=net",
    ROLE_USER_ADMIN => '',
    ROLE_DESIGNER=> "CN=Apps.IT-CMDB.Designer,OU=Access Groups,OU=RBAC,DC=xyz,DC=net",
    ROLE_CHANGE_MANAGER => '',
    ROLE_OPERATOR => "CN=Apps.IT-CMDB.Operator,OU=Access Groups,OU=RBAC,DC=xyz,DC=net"
    );

    Explanations:
    I suggest, to rename your '$g_auth_ldap_role_filter' to '$g_auth_ldap_role_attr' to make it consistent to the group config parameters.

    I set 'group' as default navigation mode, because the implemented check against a LDAP group works in this direction. Based on this I can enhance this function on the same way with

    $g_auth_ldap_group_member_mode = 'group'

     

  • Michael Scheibe

    Michael Scheibe - 2011-07-22
    • status: open --> open-accepted
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.