LDAP Role Computation

Role checks are the primary means of performing access control when using LDAP authentication. Authentication and attribution capabilities both utilize role computation techniques to enumerate roles that both authenticated users have.

There are three distinct types of role constructs supported by LDAP providers; each may be used independently, or all three may be configured to be used at the same time.

User-level role attributes, specified by the UserRoleMembershipAttributes configuration property, are the most efficient role definition format. A user's roles are enumerated by a read-only directory server-managed attribute on the user's LDAP record. The advantage to this technique is the efficiency with which role memberships can be queried, and the ease of management using the native LDAP server's management tools. These constructs are supported directly by ActiveDirectory products, and use these configuration options:
- UserRoleMembershipAttributes – the multivalued attribute on the user's LDAP record that lists the role DNs that the user is a member of. An example value for this property is "memberOf" on ActiveDirectory.
- RoleSearchBase – the search base under which all user roles are found, for example, "ou=Roles,dc=sybase,dc=com". This value may also be the root search base of the directory server.
- RoleFilter – the search filter that, coupled with the search base, retrieves all roles on the server.
- (Optional) RoleScope – enables role retrieval from subcontexts under the search base.
- (Optional) RoleNameAttribute –choose an attribute other than "cn" to define the name of roles.
These properties retrieve correct values automatically based on the type of server you configure.
LDAP group role definitions may be used as role definitions. This is a common construct among older LDAP servers, but is supported by nearly all LDAP servers. You may select this approach to use the same LDAP schema across multiple LDAP server types. Unlike the user-level role attributes, LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass "groupofnames" or "groupofuniquenames," has an attribute listing all of the members of the group. The configuration settings used are the same as for user-level role attributes, except for the RoleMemberAttributes property, which replaces the UserRoleMembershipAttributes property. This property defines a comma-delimited list of attributes that contain the members of the group. An example value for this property is "uniquemember,member," which represents the membership attributes in the above-mentioned LDAP objectclasses.
Freeform role definitions are unique in that the role itself does not have an actual entry in the LDAP database. A freeform role starts with the definition of one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes (each of which may can be multivalued) are added as roles to which the user belongs. This technique is particularly useful when the overhead of managing roles uses are administration-heavy. For example, assign a freeform role definition that is equivalent to the department number of the user. A role check performed on a specific department number is satisfied only by users who have the appropriate department number attribute value. The only property that is required or used for this role mapping technique is the comma-delimited UserFreeformRoleMembershipAttributes property.