LDAP Role Computation

Role checks are the primary means of performing access control when using LDAP authentication. Authentication utilizes role computation techniques to enumerate roles that authenticated users have.

There are three distinct types of role constructs supported by LDAP providers; each may be used independently, or all three may be configured to be used at the same time.
  • User-level role attributes, specified by the UserRoleMembershipAttributes configuration property, are the most efficient role definition format. A user's roles are enumerated by a read-only directory server-managed attribute on the user's LDAP record. The advantage to this technique is the efficiency with which role memberships can be queried, and the ease of management using the native LDAP server's management tools. These constructs are supported directly by ActiveDirectory, and use these configuration options:
    • UserRoleMembershipAttributes – the multivalued attribute on the user's LDAP record that lists the role DNs that the user is a member of. An example value for this property is "memberOf" on ActiveDirectory.
    • RoleSearchBase – the search base under which all user roles are found, for example, "ou=Roles,dc=sap,dc=com". This value may also be the root search base of the directory server.
    • RoleFilter – the search filter that, coupled with the search base, retrieves all roles on the server.
    • (Optional) RoleScope – enables role retrieval from subcontexts under the search base.
    • (Optional) RoleNameAttribute – choose an attribute other than "cn" to define the name of roles.

    These properties are set to default values based on the configured server type. However, these properties can be explicitly set to desired values if the server type is not configured or set to overwrite the default values defined for a server type.

  • LDAP servers allow groups to be members of other groups, including nested groups. The LDAP provider does not compute the group membership information recursively. Instead, nested group membership information is taken into consideration for role computation only if the LDAP server provides a user attribute that contains the complete list of group memberships, including static, dynamic, and nested group memberships.
  • Freeform role definitions are unique in that the role itself does not have an actual entry in the LDAP database. A freeform role starts with the definition of one or more user-level attributes. When roles are calculated for a user, the collective values of the attributes (each of which may can be multivalued) are added as roles to which the user belongs. This technique may be useful when the administration of managing roles becomes complex. For example, assign a freeform role definition that is equivalent to the department number of the user. A role check performed on a specific department number is satisfied only by users who have the appropriate department number attribute value. The only property that is required or used for this role mapping technique is the comma-delimited UserFreeformRoleMembershipAttributes property.