8.2. Using Roles
8.2.1. About Roles
- Managed roles have an explicit enumerated list of members.
- Filtered roles are assigned entries to the role depending upon the attribute contained by each entry, specified in an LDAP filter. Entries that match the filter possess the role.
- Nested roles are roles that contain other roles.
nsRoleattribute is a computed attribute, which identifies to which roles an entry belongs; the
nsRoleattribute is not stored with the entry itself. From the client application point of view, the method for checking membership is uniform and is performed on the server side.
8.2.2. Creating a Managed Role
nsRoleDNattribute to the entry.
188.8.131.52. Creating Managed Roles through the Command Line
ldapsubentryobject class, which is defined in the ITU X.509 standard. In addition, each managed role requires two object classes that inherit from the
nsRoleDNattribute in their entry.
-aoption to add the managed role entry. The new entry must contain the
nsManagedRoleDefinitionobject class, which in turn inherits from the
dn: cn=Marketing,ou=people,dc=example,dc=com objectclass: top objectclass: LdapSubEntry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition cn: Marketing description: managed role for marketing staff
- Assign the role to the marketing staff members, one by one, using
dn: cn=Bob,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN nsRoleDN: cn=Marketing,ou=people,dc=example,dc=comThe
nsRoleDNattribute in the entry indicates that the entry is a member of a managed role,
8.2.3. Creating a Filtered Role
184.108.40.206. Creating a Filtered Role through the Command Line
ldapsubentryobject class, which is defined in the ITU X.509 standard. In addition, each filtered role requires two object classes that inherit from the
nsRoleFilterattribute to define the LDAP filter to determine role members. Optionally, the role can take a
-aoption to add a new entry.
- Create the filtered role entry.The role entry has the
nsFilteredRoleDefinitionobject class, which inherits from the
nsRoleFilterattribute sets a filter for
o(organization) attributes that contain a value of
dn: cn=SalesManagerFilter,ou=people,dc=example,dc=com changetype: add objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsFilteredRoleDefinition cn: SalesManagerFilter nsRoleFilter: o=sales managers Description: filtered role for sales managers
oattribute with the value
sales managers), and, therefore, it is a member of this filtered role automatically:
dn: cn=Pat Smith,ou=people,dc=example,dc=com objectclass: person cn: Pat sn: Smith userPassword: secret o: sales managers
8.2.4. Creating a Nested Role
220.127.116.11. Creating Nested Role through the Command Line
ldapsubentryobject class, which is defined in the ITU X.509 standard. In addition, each nested role requires two object classes that inherit from the
nsRoleDNattribute to identify the roles to nest within the container role. Optionally, the role can take a
nsRoleDNattributes of the nested role definition entry.
-aoption to add a new entry.
- Create the nested role entry. The nested role has four object classes:
nsRoleDNattributes contain the DNs for both the marketing managed role and the sales managers filtered role.
dn: cn=MarketingSales,ou=people,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsNestedRoleDefinition cn: MarketingSales nsRoleDN: cn=SalesManagerFilter,ou=people,dc=example,dc=com nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com
8.2.5. Viewing Roles for an Entry through the Command Line
+to output all operational attributes for result objects. For example, this
ldapsearchcommand returns the list of roles of which
uid=user_nameis a member, in addition to the regular attributes for the entry:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -x "(uid=user_name)"” \* nsRole dn: uid=user_name,ou=people,dc=example,dc=com ... nsRole: cn=Role for Managers,dc=example,dc=com nsRole: cn=Role for Accounting,dc=example,dc=com
8.2.6. About Deleting Roles
nsRoleDNattribute for each role member. To delete the
nsRoleDNattribute for each role member, enable the Referential Integrity plug-in, and configure it to manage the
nsRoleDNattribute. For more information on the Referential Integrity plug-in, see Chapter 5, Maintaining Referential Integrity.
8.2.7. Using Roles Securely
Mountain Biking, interested users should be able to add themselves or remove themselves easily.
MRrole has been locked using account inactivation. This means that user A cannot bind to the server because the
nsAccountLockattribute is computed as
truefor that user. However, if user A was already bound to Directory Server and noticed that he is now locked through the MR role, the user can remove the
nsRoleDNattribute from his entry and unlock himself if there are no ACIs preventing him.
nsRoleDNattribute, use the following ACIs depending upon the type of role being used.
- Managed roles. For entries that are members of a managed role, use the following ACI to prevent users from unlocking themselves by removing the appropriate
aci: (targetattr="nsRoleDN") (targattrfilters= add=nsRoleDN:(!(nsRoleDN=cn=AdministratorRole,dc=example,dc=com)), del=nsRoleDN:(!(nsRoleDN=cn=nsManagedDisabledRole,dc=example,dc=com))) (version3.0;acl "allow mod of nsRoleDN by self but not to critical values"; allow(write) userdn=ldap:///self;)
- Filtered roles. The attributes that are part of the filter should be protected so that the user cannot relinquish the filtered role by modifying an attribute. The user should not be allowed to add, delete, or modify the attribute used by the filtered role. If the value of the filter attribute is computed, then all attributes that can modify the value of the filter attribute should be protected in the same way.
- Nested roles. A nested role is comprised of filtered and managed roles, so both ACIs should be considered for modifying the attributes (
nsRoleDNor something else) of the roles that comprise the nested role.