An authorization rule is used to perform access checks for authenticated user IDs against lists of services defined within the rule. This feature is available on UNIX and Windows using EntireX Security on these platforms. Authorization rules can be stored in the Broker attribute file or in an LDAP repository. This document covers the following topics:
The value of SECURITY-SYSTEM
in the DEFAULTS=SECURITY
section of the Broker attribute file determines the location of the authorization rules:
Broker Attribute File
Set SECURITY-SYSTEM=OS
.
Rules are defined in new section DEFAULTS=AUTHORIZATION-RULES
of the broker attribute file.
LDAP Repository
Set SECURITY-SYSTEM=LDAP
.
Rules are stored in an LDAP repository.
Security-specific attributes
LDAP-AUTHENTICATION-URL
and
LDAP-AUTHORIZATION-URL
define the parameters for the access of the LDAP client side, and
LDAP-AUTHORIZATION-RULE
defines applicable rule names.
Whenever an authorization call occurs, the Broker security exit performs checks based on the value of the security-specific
attribute AUTHORIZATION-DEFAULT
.
Examples of these two approaches are provided below.
Set SECURITY-SYSTEM=OS
in the SECURITY-SYSTEM
section of the broker attribute file
and define the individual rules under DEFAULTS=AUTHORIZATION-RULES
.
A rule is a container for a list of services and a list of client and server user IDs.
All users defined in a rule are authorized to use all services defined in this rule.
DEFAULTS=SECURITYSECURITY-SYSTEM
= OSSECURITY-LEVEL
= AUTHORIZATIONAUTHORIZATION-DEFAULT
= NO DEFAULTS = AUTHORIZATION-RULESRULE-NAME
= rule1CLASS
= class1,SERVER
= server1,SERVICE
= service1CLIENT-USER-ID
= user1 CLIENT-USER-ID = user2SERVER-USER-ID
= user3 SERVER-USER-ID = user4 RULE-NAME = rule2 CLASS = class2, SERVER = server2, SERVICE = service2 CLASS = class3, SERVER = server3, SERVICE = service3 CLIENT-USER-ID = user1 CLIENT-USER-ID = user5 CLIENT-USER-ID = user6 SERVER-USER-ID = user7
This example results in the following permissions:
user1
may send requests to all three services.
user2
may send requests to service1
only.
user5
and user6
may send requests to service2
and service3
, but not service1
.
user3
and user4
may run as servers of service1
.
user7
may run as server of service2
and service3
.
Attributes are described in more detail under Security-specific Attributes and Authorization Rule-specific Attributes.
This section covers the following topics:
Specify the URL of your LDAP server under
LDAP-AUTHENTICATION-URL
and
LDAP-AUTHORIZATION-URL
in the DEFAULTS=SECURITY
section of the broker attribute file, and specify up to 16 rules with LDAP-AUTHORIZATION-RULE
as shown in the example below:
DEFAULTS=SECURITYSECURITY-SYSTEM
= LDAPSECURITY-LEVEL
= AUTHORIZATIONLDAP-AUTHENTICATION-URL
= "ldap://myhost.mydomain.com"LDAP-AUTHORIZATION-URL
= "ldap://myhost.mydomain.com"LDAP-AUTHORIZATION-RULE
= rule1 LDAP-AUTHORIZATION-RULE = rule2 ... LDAP-AUTHORIZATION-RULE = rule16LDAP-PERSON-BASE-BINDDN
= "cn=users,dc=software-ag,dc=de"LDAP-SASL-AUTHENTICATION
= YES
Note:
We assume you can change authorization rules (add/modify/delete) in LDAP directly. Add/delete authorization rule names in
Broker attribute file accordingly.
Attributes are described in more detail under Security-specific Attributes.
An LDAP server is a prerequisite (based on LDAPv3); it is not installed with EntireX.
For the
installation of the LDAP server, see the respective product documentation. All
servers have to support the attribute types sag-key
, sag-value
and the
objectClass sag-xds
. They are defined in the following schema.
attributetypes: ( 1.2.276.0.12.2.1.1 NAME 'sag-key' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26') attributetypes: ( 1.2.276.0.12.2.1.2 NAME 'sag-value' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5') objectclasses: ( 1.2.276.0.12.2.3.1 NAME 'sag-xds' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass $ sag-key ) MAY ( aci $ sag-value ) )
We recommend setting up a separate branch in the directory for
authorization rules. The distinguished name of this branch is the value of the
configuration setting specified with attribute LDAP-BASE-DN
in section Security-specific Attributes in the platform-independent administration documentation.
The following example describes the required data in LDAP to define the authorization rule RULE1
restricting service
SC1:SN1:SV1
(CLASS=SC1, SERVER=SN1,SERVICE=SV1)
to authorized client CLIENT1
and authorized server SERVER1
. It assumes attribute LDAP-BASE-DN
was set to "dc=software-ag,dc=de
".
Define the authorization rule:
sag-key=RULE1,sag-key=100,sag-key=AuthRules,sag-key=EntireX,sag-key=Software AG,dc=software-ag,dc=de
Define the service for the authorization rule:
sag-key=SC1:SN1:SV1,sag-key=RULE1,sag-key=100,sag-key=AuthRules,sag-key=EntireX,sag-key=Software AG,dc=software-ag,dc=de
Define a client user ID for the service:
sag-key=CLIENT1 [C,sag-key=SC1:SN1:SV1,sag-key=RULE1,sag-key=100,sag-key=AuthRules,sag-key=EntireX,sag-key=Software AG,dc=software-ag,dc=de
Define a server user ID for the service:
sag-key=SERVER1 [S,sag-key=SC1:SN1:SV1,sag-key=RULE1,sag-key=100,sag-key=AuthRules,sag-key=EntireX,sag-key=Software AG,dc=software-ag,dc=de
The part "sag-key=100,sag-key=AuthRules,sag-key=EntireX,sag-key=Software AG
" identifies authorization rules in general.
All values are fixed and must not be changed.
Preceeding "sag-key=RULE1
" defines the name of an authorization rule.
This rule name must have been defined with attribute LDAP-AUTHORIZATION-RULE
in the Broker attribute file.
The definition of services requires "sag-key=SC1:SN1:SV1
" in front of the complete rule data.
User ID values contain the user ID plus blank, open square bracket and uppercase C for clients or S for servers.
Following table lists attribute type and value. All entries belong to objectClass sag-xds
.
Attribute Type | Value |
---|---|
sag-key |
Software AG |
sag-key |
EntireX |
sag-key |
AuthRules |
sag-key |
100 |
sag-key |
RULE1 |
sag-key |
SC1:SN1:SV1 |
sag-key |
CLIENT [C |
sag-key |
SERVER [S |
Note:
To deploy the sagxds
schema on Microsoft Active Directory, do not use
the Microsoft Active Directory tools for editing the schema. Use the following
step-by-step instructions:
To deploy the sagxds
schema
Make a backup of the system state. Changes to the schema of Microsoft Active Directory are irreversible without a backup of the system state.
You must enable UPDATE schema.
To make the Schema Master available, enter the following at a command prompt:
regsvr32.exe schmmgmt.dll
Enter MMC.
From Console menu item, select:
.Choose
.Choose
from menu item of Active Directory Schema, select .Choose "The schema may be modified on this domain controller".
Copy the following text to the file sagxds.ldif
# Add sag-value attribute dn: CN=sag-value,CN=Schema,CN=Configuration,DC=<your domains name> changetype: add adminDisplayName: sag-value attributeID: 1.2.276.0.12.2.1.2 attributeSyntax: 2.5.5.10 cn: sag-value isSingleValued: FALSE lDAPDisplayName: sag-value distinguishedName: CN=sag-value,CN=Schema,CN=Configuration,DC=<your domains name> objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=<your domains name> objectClass: attributeSchema oMSyntax: 4 name: sag-value # Add sag-key attribute # Active Directory requires the naming attribute(RDN) to be a syntax of DirectoryString dn: CN=sag-key,CN=Schema,CN=Configuration,DC=<your domains name> changetype: add adminDisplayName: sag-key attributeID: 1.2.276.0.12.2.1.1 attributeSyntax: 2.5.5.12 cn: sag-key isMemberOfPartialAttributeSet: TRUE isSingleValued: TRUE lDAPDisplayName: sag-key distinguishedName: CN=sag-key,CN=Schema,CN=Configuration,DC=<your domains name> objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=<your domains name> objectClass: attributeSchema oMSyntax: 64 name: sag-key searchFlags: 1 # Update the schema DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # Add sag-xds class dn: CN=sag-xds,CN=Schema,CN=Configuration,DC=<your domains name> changetype: add adminDescription: sag-xds adminDisplayName: sag-xds cn: sag-xds defaultObjectCategory: CN=sag-xds,CN=Schema,CN=Configuration,DC=<your domains name> governsID: 1.2.276.0.12.2.3.1 lDAPDisplayName: sag-xds mayContain: sag-value mustContain: sag-key distinguishedName: CN=sag-xds,CN=Schema,CN=Configuration,DC=<your domains name> objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=<your domains name> objectClass: classSchema objectClassCategory: 1 possSuperiors: container name: sag-xds rDNAttID: sag-key subClassOf: top # Update the schema DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # Modify sag-xds class # make sag-xds a possSuperior. This means a sag-xds class can contain other sag-xds classes. dn: CN=sag-xds,CN=Schema,CN=Configuration,DC=<your domains name> changetype: modify add: possSuperiors possSuperiors: sag-xds - # Update the schema DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 -
Replace all instances of dc= <your domain name>
with your domain name, for example dc=myunit,dc=mycompany,dc=com
.
Run it with the command:
ldifde -s <your server> -b <account> <domain> <password> -i -f sagxds.ldif
Add containers that represent the base DN of the authorization rules.
These containers determine the value of attribute LDAP-BASE-DN
under Broker Attributes.
Example (for two containers):
dn: CN=<your container 1>,DC=<your domain name> changetype: add cn: <your container 1> objectclass: container dn: CN=<your container2>,<your container 1>,DC= <your domain name> changetype: add cn: <your container 2> objectclass: container
With the utilities for Microsoft Active Directory, set the permissions to read and to modify the containers.