summaryrefslogtreecommitdiffstats
path: root/contrib/slapd-modules/rbac/slapo-rbac.5
blob: 453bcbc217d0157d232fdced30ca004cede0fce4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
.TH SLAPO_RBAC 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1999-2021 SYMAS Corporation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo\-rbac \- RBAC0 overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.LP
The 
.B slapo-rbac
overlay
is an implementation of the ANSI INCITS 359 Role-Based Access Control (RBAC) Core.
When instantiated, it intercepts, decodes and enforces specific RBAC policies per the Apache Fortress RBAC data formats.
.P
The overlay provides a set of extended operations.
They include session create/delete, checkAccess, addActiveRole, dropActiveRole and sessionRoles.
.P

.SH CONFIGURATION
These 
.B slapd.conf
configuration options apply to the slapo-rbac overlay. 

.TP
.B overlay	rbac
This tag gets applied to the RBAC configuration db (see example below).
.TP
.B rbac-default-users-base-dn "ou=People,dc=example,dc=com"
Points to the container that contains the Apache Fortress users.
.TP
.B rbac-default-roles-base-dn "ou=Roles,ou=RBAC,dc=example,dc=com"
Points to the container that contains the Apache Fortress roles.
.TP
.B rbac-default-permissions-base-dn "ou=Permissions,ou=RBAC,dc=example,dc=com"
Points to the container that contains the Apache Fortress perms.
.TP
.B rbac-default-sessions-base-dn "cn=rbac"
Points to the suffix of the RBAC sessions.
.TP
.B rbac-default-audit-base-dn "cn=audit"
Points to the suffix where the audit records are stored.
.TP
.B rbac-admin "cn=manager,dc=example,dc=com"
A service account that has read access to the entire Apache Fortress DIT.
.TP
.B rbac-pwd "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
The password according to the service account.
.TP
.B rbac-session-admin "cn=manager,cn=rbac"
The root dn of the RBAC sessions database.
.TP
.B rbac-session-admin-pwd {SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
The password corresponding with the session database.
.TP
.RE

.SH EXAMPLES
.LP
.RS
.nf

This overlay requires the
.B rbac.schema
loaded and three additional database config sections, one to store rbac
sessions, second to store the audit records and third to hold the overlay's
config parameters. They should appear after the existing Apache Fortress db
config.

.TP 
1. Session Database: Used to store the RBAC sessions corresponding to a logged in user.
.B database	mdb
.B suffix	"cn=rbac"
.B rootdn	"cn=manager,cn=rbac"
.B rootpw	{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
.B index	rbacSessid  eq
.B directory	"/var/openldap/rbacsess"
.B overlay	dds
.B dds-default-ttl	3600
.B dds-max-dynamicObjects	100000
.B dbnosync
.B checkpoint	64 5
.PP

.TP
2. Audit Database: Stores records that track user's activities.
.B database	mdb
.B suffix	"cn=audit"
.B rootdn	"cn=manager,cn=audit"
.B rootpw	{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
.B directory	"/var/openldap/rbacaudit"
.B dbnosync
.B checkpoint    64 5

.PP

.TP
3. Config Database: Stores the parameters needed for this overlay to work.
.B database	mdb
.B suffix		"dc=rbac"
.B rootdn		"cn=manager,dc=rbac"
.B rootpw		{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
.B directory	"/var/openldap/rbacoverlay"
.B overlay	rbac
.B rbac-default-tenant-id "example"
.B rbac-default-users-base-dn "ou=People,dc=example,dc=com"
.B rbac-default-roles-base-dn "ou=Roles,ou=RBAC,dc=example,dc=com"
.B rbac-default-permissions-base-dn "ou=Permissions,ou=RBAC,dc=example,dc=com"
.B rbac-default-sessions-base-dn "cn=rbac"
.B rbac-default-audit-base-dn "cn=audit"
.B rbac-admin "cn=manager,dc=example,dc=com"
.B rbac-pwd "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
.B rbac-session-admin "cn=manager,cn=rbac"
.B rbac-session-admin-pwd {SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU

.fi
.RE

.SH SEE ALSO
.BR ldap (3),
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapo\-chain (5).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP

.BR ldap (3),
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapo\-chain (5).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP

.UR https://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf
.UE ANSI INCITS 359 Role-Based Access Control specification

.UR https://github.com/apache/directory-fortress-core/blob/master/README.md
.UE Apache Fortress README

.UR https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md
.UE Apache Fortress OpenLDAP Quickstart 

.UR https://github.com/apache/directory-fortress-core/blob/master/ldap/schema/fortress.schema
.UE Apache Fortress RBAC schema

.SH BUGS
This overlay is experimental.

.SH ACKNOWLEDGEMENTS
.P
This module was written in 2013 by Ted Cheng of Symas Corporation
with a little help from Matt Hardin, Howard Chu, Shawn McKinney.
.P
.so ../Project