LDAP Role Computation

Role checks are the primary means of performing access control when using LDAP authentication.

Both the authentication and attribution capabilities utilize role computation techniques to enumerate the list of roles that authenticated and non-authenticated users have. There are three distinct types of role constructs supported by the common security infrastructure LDAP providers. Each can be used independently or all three can be configured to be used at the same time.

Technique	Description
User-level role attribute	Specified by the UserRoleMembershipAttributes configuration property, this is the most desirable and efficient role definition format. Using this technique, roles for a user are enumerated by a read-only directory server-managed attribute on the user LDAP record. The advantage to this technique is efficiency, in which role memberships can be queried, and the ease of management using the native LDAP server management tools. These constructs are supported directly by the SunONE 5.x Directory Server and Microsoft ActiveDirectory products. The configuration options necessary for this technique are: UserRoleMembershipAttributes -- the multivalued attribute on the LDAP record for a user that lists the role DNs that the user is a member of. An example value for this property is “memberOf” on ActiveDirectory. RoleSearchBase -- the search base under which all user roles are found. Examples of this are “ou=Roles,dc=sybase,dc=com.” This value may simply be the root search base of the directory server as well. RoleFilter -- the search filter that, coupled with the search base, retrieves all roles on the server. An example of this property for SunONE directory server is “(&(objectclass=ldapsubentry)(objectclass=nsroledefinition)).” RoleScope -- this value may optionally be specified to enable retrieval of roles from subcontexts under the search base. RoleNameAttribute -- this value may optionally be specified to choose an attribute other than “cn” to define the name of roles.
Group-level role definition	The most common construct among older LDAP servers, but it continues to be supported by nearly all LDAP servers. This may be a useful technique when you want to use the same LDAP schema across multiple LDAP server types, although the common security infrastructure LDAP suite provides a clean abstraction layer on top of these details. Unlike the user-level role attributes, LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass “groupofnames” or “groupofuniquenames,” has an attribute listing all of the members of the group. The configuration settings used are the same as for user-level role attributes, except for the RoleMemberAttributes property, which replaces the UserRoleMembershipAttributes property. This property defines a comma-delimited list of attributes that contain the members of the group. An example value for this property is “uniquemember,member,” which represents the membership attributes in the above-mentioned LDAP objectclasses.
Freeform role definition	This construct is unique in that the role itself does not have an actual entry in the LDAP database. A freeform role starts with the definition of one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes (which can be multi-\valued) are added as roles the user is a member of. This technique is particularly useful when the overhead of managing roles with a more administration-heavy technique is not desired (that is, user-level or group-level roles). For example, if you assigned a freeform role definition that was equivalent to the department number of the user, the role check performed on a specific department number would only be satisfied by users who have the appropriate department number attribute value. The only property that is required or used for this role mapping technique is the comma-delimited UserFreeformRoleMembershipAttributes property.

Technique

Description

User-level role attribute

Specified by the UserRoleMembershipAttributes configuration property, this is the most desirable and efficient role definition format. Using this technique, roles for a user are enumerated by a read-only directory server-managed attribute on the user LDAP record. The advantage to this technique is efficiency, in which role memberships can be queried, and the ease of management using the native LDAP server management tools. These constructs are supported directly by the SunONE 5.x Directory Server and Microsoft ActiveDirectory products. The configuration options necessary for this technique are:

UserRoleMembershipAttributes -- the multivalued attribute on the LDAP record for a user that lists the role DNs that the user is a member of. An example value for this property is “memberOf” on ActiveDirectory.
RoleSearchBase -- the search base under which all user roles are found. Examples of this are “ou=Roles,dc=sybase,dc=com.” This value may simply be the root search base of the directory server as well.
RoleFilter -- the search filter that, coupled with the search base, retrieves all roles on the server. An example of this property for SunONE directory server is “(&(objectclass=ldapsubentry)(objectclass=nsroledefinition)).”
RoleScope -- this value may optionally be specified to enable retrieval of roles from subcontexts under the search base.
RoleNameAttribute -- this value may optionally be specified to choose an attribute other than “cn” to define the name of roles.

Group-level role definition

The most common construct among older LDAP servers, but it continues to be supported by nearly all LDAP servers. This may be a useful technique when you want to use the same LDAP schema across multiple LDAP server types, although the common security infrastructure LDAP suite provides a clean abstraction layer on top of these details.

Unlike the user-level role attributes, LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass “groupofnames” or “groupofuniquenames,” has an attribute listing all of the members of the group.

The configuration settings used are the same as for user-level role attributes, except for the RoleMemberAttributes property, which replaces the UserRoleMembershipAttributes property. This property defines a comma-delimited list of attributes that contain the members of the group.

An example value for this property is “uniquemember,member,” which represents the membership attributes in the above-mentioned LDAP objectclasses.

Freeform role definition

This construct is unique in that the role itself does not have an actual entry in the LDAP database. A freeform role starts with the definition of one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes (which can be multi-\valued) are added as roles the user is a member of.

This technique is particularly useful when the overhead of managing roles with a more administration-heavy technique is not desired (that is, user-level or group-level roles).

For example, if you assigned a freeform role definition that was equivalent to the department number of the user, the role check performed on a specific department number would only be satisfied by users who have the appropriate department number attribute value.

The only property that is required or used for this role mapping technique is the comma-delimited UserFreeformRoleMembershipAttributes property.