Hi Michael,
> This is not fully correct. You get this errormessage if map_role is
> "yes" and there is no role configured. If you set map_role to "no" then
> you must not set $self->{ident}->{role}. The username itself is used for
> the access control in this case ($self->{ident}->{name}). Please see
> function getRole in OpenCA::AC.
yes, I found it. If I set map_role to no, then my login works. I just
thought I needed the role mapping anyway. For now this is OK for me.
>> However, if I use an external program for authentication, I do not
>> know which user(s) will login, so I don't have an explicit Role
>> for the user that *will* login now.
>
> You have to set map_role to "no" in this case but you must configure the
> ACL per user in this case (or you have to deactivate the ACL).
OK, understood. So when I use my external authentication I have to
enforce authorization myself, e. g. configure my external authentication
program to check if the successfully logged in user is allowed to
perform the required action. Then I could deactivate the OpenCA ACL
mechanism, right?
Originally I was thinking the external program could return one (or
more) role the logged in user belongs to. This information could then
be used to determine the rights the user is granted during his
session. But this is obviously not how it was intended.
>> I thought it would be possible to have the external authentication
>> program print out the user role on STDOUT after successful
>> authentication
>> and use this as the user role, but this is too late.
>
> Why this is too late? This is exactyl the right moment. First the
> function login is called. The external program is invoked which returns
> the role if the login is ok. This role is set for
> $self->{ident}->{role}. After the authentication the ACL will be
> evaluated and there a function getRole will be called. This functions
> reads it's information from $self->{ident}->{role}.
Because I noticed that getRole was performed in the constructor,
when this data was not yet known to the module. In my use case
the role would only be known after the actual authentication.
> The role mapping was implemented for normal login too and not only for
> X.509 login to give the administrators a chance to build groups for the
> configuration of the ACL.
>
>> Is the required role for each user on one single node (CA, RA, LDAP,
>> etc) always the same or can it differ between users?
>
> The role only depends on the authentication mechanism. If you use OpenCA
> certs then the role is defined by OpenCA. If you use login or an
> external program then you can define the semantic by yourself. It
> depends on the things you want to do with the ACL.
>
> I hope this is understandable. I rewrote the complete access control
> stuff for OpenCA 0.9.2 to make it more modular for easier reviews and
> maintenance. If you have comments on the architecture of OpenCA::AC the
> please write it.
Yes, it really is understandable and helped me a lot.
Martin
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
