| Wiki Markup |
|---|
{scrollbar}
----
{quote}
(!) Note
This [HowTo|HowTo O3 Security over LDAP and Active Directory] shows more details on settings over LDAP
{quote}
In this case, the definitions of users and roles are performed with the commonly used LDAP tools. The characteristics users and roles created in the LDAP server must have so they can be used by O3 Server are detailed below.
h3. User Requirements
In order to ensure the proper operation of O3 Server over an LDAP repository, it is necessary that all created users in it meet the following conditions.
* Users must be created in the context or directory identified by the *Search Base Path* parameter.
* All users will be assigned the *objectclass* attribute, withe the *humanParticipant* value besides other values this attribute might have.
* All users will be assigned the *uid* attribute whose value will be the login to connect to O3 Server.
* All users will be assigned the *cn* value whose value will be the real username.
This means it does not need to match the value assigned to *uid*.
* Each user will have an assigned set of roles.
This is done through the specification of the *assignedRoles* attribute, whose value must be the list of roles.
This list will contain the names of the roles involved, separated by ":" (colon). This list must also finish in ":" (colon)
* For a user to have administrator rights in O3 Server, they will need to have been assigned the specified role by the *Administrator Role* parameter.
h3. Role Requirements
In order to ensure the proper operation of O3 Server over an LDAP repository, all roles created in it must meet the following conditions:
* Roles must be created in the context or directory identified by the *Search Base Path* parameter.(refer to the "LDAP Parameters" section for a detail on parameters)
* All users will be assigned the *objectclass* attribute, withe the *ftorganizationalrole* value besides other values this attribute might have.
* All users will be assigned the *cn* value whose value will be the role name.
* All users will be assigned the *description* attribute, whose value will be the role name.
h3. Example of an LDAP database to be used by O3
What follows is an example of the directory entry structure in an LDAP used by O3.
c=uy
o=IdeaSoft
cn=Directory Administrators
ou=Groups
ou=People
uid=admin
uid=user
uid=o3user
Besides, it is known that existing entries within the *ou=People* context or directory have the following attributes:
uid=user
cn=Usuario estándar de O3
objectClass=humanparticipant
assignedRoles=o3user
uid=admin
cn=Usuario Administrador de O3
objectClass=humanparticipant
assignedRoles=o3admin
uid=o3admin
cn=o3admin
description=Rol de Administradores de O3
objectClass=ftorganizationalrole
uid=o3user
cn=o3user
description=Rol de Usuarios de O3
objectClass=humanparticipant
By establishing as *Search Base Path* the "*ou=People, o=IdeaSoft, c=uy*" context or directory, the O3 Server will interpret *"uid=user"* entries as a user with the "user" login and name *"O3 Standard User"* with an associated role "*o3user*"
In the same way, it will understand the *"uid=admin"* entry as a user with *"admin"* login and name "O3 Administrator User" with an associated role *"o3admin"*. As "o3admin" was declared in the *Administrator Role* parameter, this user will have administrator rights.
Entries "*uid=o3admin*" and "*uid=o3user*" are interpreted as roles in the same way.
----
{children}
{scrollbar} |
Page Comparison
General
Content
Integrations