LDAP Role Computation

Role checks are the primary means of performing access control when using LDAP authentication. Both the authentication and attribution capabilities utilize role computation techniques to enumerate the list of roles that both authenticated and non-authenticated users have.

There are three distinct types of role constructs supported by LDAP providers; each may be used independently or all three may be configured to be used at the same time.

User-level role attributes, which are specified by the UserRoleMembershipAttributes configuration property, are arguably the most desirable and efficient role definition format. Using this technique, a user's roles are enumerated by a read-only directory server-managed attribute on the user's LDAP record. The advantage to this technique is efficiency in which role memberships can be queried and the ease of management using the native LDAP server's management tools. These constructs are supported directly by ActiveDirectory products. The configuration options necessary for this technique are:
- UserRoleMembershipAttributes – the multi-valued attribute on the user's LDAP record that lists the role DN's that the user is a member of. An example value for this property is "memberOf" on ActiveDirectory.
- RoleSearchBase – the search base under which all user roles are found. Examples of this are "ou=Roles,dc=sybase,dc=com", for example. This value may be the root search base of the directory server as well.
- RoleFilter – the search filter that, coupled with the search base, retrieves all roles on the server.
- RoleScope – This value may optionally be specified to enable retrieval of roles from subcontexts under the search base.
- RoleNameAttribute – This value may optionally be specified to choose an attribute other than "cn" to define the name of roles.
These properties will retrieve correct values automatically based on the type of server you configure, despite having subtly different schemas.
LDAP Group role definitions may be used as role definitions. This is a common construct among older LDAP servers, but is supported by nearly all LDAP servers. This may be a useful technique when wanting to use the same LDAP schema across multiple LDAP server types. Unlike the user-level role attributes, LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass "groupofnames" or "groupofuniquenames", has an attribute listing all of the members of the group. The configuration settings used are the same as for user-level role attributes, except for the RoleMemberAttributes property which replaces the UserRoleMembershipAttributes property. This property defines a comma-delimited list of attributes that contain the members of the group. An example value for this property is uniquemember,member, which represents the membership attributes in the above-mentioned LDAP objectclasses.
Freeform role definitions are unique in that the role itself does not have an actual entry in the LDAP database. A freeform role starts with the definition of one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes (which can be multi-valued) are added as roles the user is a member of. This technique is particularly useful when the overhead of managing roles uses are administration-heavy. One interesting example would be assigning a freeform role definition that was equivalent to the department # of the user. A role check performed on a specific department number would only be satisfied by users who have the appropriate department # attribute value. The only property that is required or used for this role mapping technique is the comma-delimited UserFreeformRoleMembershipAttributes property.