Novell Doc: Novell iChain Administration Guide - Setting Up Object-Level Access Control

13.1 Setting Up Object-Level Access Control

To access protected resources, a special iChain Object-Level Access Control (OLAC) plug-in (an LDAP plug-in) is available to access the database and retrieve the additional information. By default this plug-in allows you to define attributes in the LDAP datastore that are embedded and passed within the HTTP request header or as a query string. You can assign a name as the tag to the data.

When OLAC is configured to use a multivalued LDAP attribute, the values of that attribute are returned from the LDAP query as a comma-delimited list and forwarded by OLAC to the Web server in the same format. Some back-end Web applications might not be able to process this comma-delimited value. The LDAP cn attribute is actually a multivalued attribute. (In ConsoleOne®, the values under the user object's Other Name: field on the General > Identification page are actually stored as part of the multivalued cn.) To configure OLAC to send only the user's common name (for example, user1), even when the cn attribute has multiple values, specify the LDAP attribute uid instead of cn in the OLAC configuration.

iChain also supports additional plug-ins called CONSTANT, SECRETSTORE, and INTERNAL. The CONSTANT plug-in allows you to pass the same constant literal with every OLAC request. This is particularly valuable when an application requires a constant to be passed and the administrator does not want to include the constant in each user object (for easier setup and maintenance).

The following table lists the LDAP and CONSTANT plug-ins' corresponding entries for the Data Source and Value fields in ConsoleOne.

Plug-In	Description	Data Source	Value
LDAP	Adds user attributes from a directory with LDAP support.	ldap (case insensitive)	Any LDAP user attribute (for example, surname, givenName).
CONSTANT	Adds the constant literal for every OLAC request, where defined.	constant (case insensitive)	Constant Literal (for example, string123).

The INTERNAL OLAC data source obtains user information that is available in the proxy. This allows the login query string to be passed to the Web server. It displays content based on login information. The following table lists the OLAC values and corresponding entries for the INTERNAL data source.

OLAC Value	Sample OLAC Name	Description
AuthProfiles	allAuthProfiles	Build a tag-value pair for all of the authentication profiles used to authenticate the user. For example, if LDAP1 and RADIUS3 were both used, the OLAC string that is generated is allAuthProfiles=LDAP1,RADIUS3.
LDAPProfile	myLDAP	Build a tag-value pair where the value is the name of the LDAP authentication profile if an LDAP profile was used to authenticate the user. For example, myLDAP=LDAP1. If the user authenticated with just RADIUS, then the tag-value pair is myLDAP=.
RADIUSProfile		Lists the RADIUS authentication profile used to authenticate or no value.
MutualProfile		Lists the Mutual authentication profile used to authenticate, or no value.

The OLAC Parameters dialog box is shown below:

Figure 13-1 OLAC Parameters

Because the LDAP plug-in is based on iChain APIs, you can customize iChain and create OLAC plug-ins to integrate your applications as needed. For more information about the APIs for customizing your iChain infrastructure, see the Novell appnote, Developing a Custom OLAC Driver.

NOTE:Only administrators familiar with programming principles and Java programming syntax should attempt to customize OLAC plug-ins.

The settings for the OLAC Frameworks and its plug-ins are stored in the iChain Access Control profile and the oac.properties file, which is typically found in the sys:/ichain/oac directory on the iChain Proxy Server. The configuration file contains a section for the framework as well as one for the plug-in. The following table lists the valid OLAC options for each section:

Name	Description	Required?	Default Value
Object-Level Access ControlOptions [OAC] section
Security Authentication	The method to use when authenticating to the LDAP server. Currently, only “simple” is supported.	No	simple
Server Port	The port on which the OLAC framework listens for lookup requests from the proxy server.	No	4444
Worker Count	The number of worker threads to create.	No	10
Refresh Time	The number of minutes after which the OLAC configuration is re-read from the ISO.	No	180
Value Delimiter	The delimiter used to separate multiple values assigned to the same name in the URL query string. For example, if Value Delimiter is specified as semi-colon (;), the resulting query string might look like COLORS=blue;green; yellow;orange&SHAPES=circle;square;triangle.	No	, (comma character)
LDAP Plug-In Options [LDAP Processor] Section
Security Authentication	The method to use when authenticating to the LDAP server. Currently, only “simple” is supported.	No	simple
Class Name	The name of the class implementing the LDAP plug-in. Must be com.novell.ichain.oac. ldap.ParamListBuilder.	Yes	None