Hi Martin,
But I've got a problem understanding the semantics of the user's role.
In the "internal database" configuration each individual user is listed in the configuration. Every user entry must have a single "role" entry that is used in Access Control initialization. If is not set, the AC module complains with error 6293013 (see getRole()).
This is not fully correct. You get this errormessage if map_role is "yes" and there is no role configured. If you set map_role to "no" then you must not set $self->{ident}->{role}. The username itself is used for the access control in this case ($self->{ident}->{name}). Please see function getRole in OpenCA::AC.
However, if I use an external program for authentication, I do not know which user(s) will login, so I don't have an explicit Role for the user that *will* login now.
You have to set map_role to "no" in this case but you must configure the ACL per user in this case (or you have to deactivate the ACL).
I thought it would be possible to have the external authentication program print out the user role on STDOUT after successful authentication and use this as the user role, but this is too late.
Why this is too late? This is exactyl the right moment. First the function login is called. The external program is invoked which returns the role if the login is ok. This role is set for $self->{ident}->{role}. After the authentication the ACL will be evaluated and there a function getRole will be called. This functions reads it's information from $self->{ident}->{role}.
Any ideas about this? What semantics are expected on this role mapping stuff?
The role mapping was implemented for normal login too and not only for X.509 login to give the administrators a chance to build groups for the configuration of the ACL.
Is the required role for each user on one single node (CA, RA, LDAP, etc) always the same or can it differ between users?
The role only depends on the authentication mechanism. If you use OpenCA certs then the role is defined by OpenCA. If you use login or an external program then you can define the semantic by yourself. It depends on the things you want to do with the ACL.
I hope this is understandable. I rewrote the complete access control stuff for OpenCA 0.9.2 to make it more modular for easier reviews and maintenance. If you have comments on the architecture of OpenCA::AC the please write it.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
