From 00110383d79fcafaded64ed5230b82e819cc99eb Mon Sep 17 00:00:00 2001 From: vmarkop Date: Thu, 16 Dec 2021 15:35:16 +0200 Subject: [PATCH] Overhauled LDAP Autoprovisioning Help Section --- docs/Autoprovision_LDAP.md | 39 +++++++++++++++++++ .../admin_setting_authentication.html | 33 ++++++++++++---- 2 files changed, 65 insertions(+), 7 deletions(-) create mode 100644 docs/Autoprovision_LDAP.md diff --git a/docs/Autoprovision_LDAP.md b/docs/Autoprovision_LDAP.md new file mode 100644 index 0000000..f8cd058 --- /dev/null +++ b/docs/Autoprovision_LDAP.md @@ -0,0 +1,39 @@ +# Configure PDA user privileges based on LDAP Attributes + +Provisioning the roles and the associations of a user based on an attribute in his object, is a very useful practice for a variety of reasons, and can be implemented across multiple authentication providers for PDA. Below we demonstrate how to enable and configure Roles&Associations Provisioning during LDAP authentication. + +The allowed syntax for records inside the attribute of the user's object is: + +```text. +if PDA-Role∈[Administrator, Operator]: + syntax:=prefix:"powerdns-admin":PDA-Role +else: + syntax:=prefix:"powerdns-admin":PDA-Role:: + +where prefix is given by an admin of PDA in the configurable field "ADVANCE:Urn prefix". + +i.e. some valid urn values could be: +urn:yourNID:yourOrganization:powerdns-admin:Administrator +urn:yourNID:yourOrganization:powerdns-admin:User:example.com (supposing there is a domain in the local db called "example.com") +urn:yourNID:yourOrganization:powerdns-admin:User:example.com:examplenet (supposing there is an account in the local db called "examplenet") +urn:yourNID:yourOrganization:powerdns-admin:User::examplenet +``` +Note: To use Roles&Associations Provisioning in its fullest potential, the domains and the accounts provided in the entries must already exist, or else entries with no match in the local db will be skipped. + +In order to keep users' privileges in-sync between the PDA's database and the LDAP, when no valid "powerdns-admin" values are found for the logged-in user, PDA will purge all privileges from the local database for this user. To avoid unintentional wipe outs of existing PDA privileges especially when admins enable this feature for the first time, the option "Purge Roles if empty" is also available. If toggled on, LDAP/OIDC entries that have no valid "powerdns-admin" records to their object's attribute, will lose all their associations with any domain or account, also reverting to a PDA-User in the process, despite their current role in the local db. If toggled off, in the same scenario they get to keep their existing associations and their current PDA-Role. + +How to configure LDAP Roles Autoprovisioning: +1) Login as an admin to PowerDNS Admin. +2) Go to Settings --> Authentication. +3) Under Authentication, select LDAP. +4) Disable Group Security, if enabled. +5) Click the Radio Button for Roles Autoprovisioning. +6) Fill in the required info: + +* Role Provisioning field - your_LDAP_Field. +* Urn prefix - your_URN_Prefix. + +7) Enable Purge Roles If Empty, if you so wish, and click confirm when the prompt appears. +8) Click Save. + +Screenshot-Authentication-Settings-Power-DNS-Admin \ No newline at end of file diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index ba82c2e..86b260c 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -210,7 +210,7 @@
- +
@@ -310,22 +310,41 @@
ADVANCE
-
Provision PDA user privileges based on LDAP Object Attributes. Alternative to Group Security Role Management. +
Provision PDA user privileges based on a single attribute with URN values. Alternative to Group Security Role Management.
  • - Roles Autoprovisioning - If toggled on, the PDA Role and the associations of users found in the local db, will be instantly updated from the LDAP server every time they log in. + Roles Autoprovisioning - If toggled on, roles & associations of the PDA user will be determined based on the URN value(s) of an attribute in the user's LDAP object.
  • - Roles provisioning field - The attribute in the ldap server populated by the urn values where PDA will look for a new Role and/or new associations to domains/accounts. + Roles provisioning attribute - The LDAP attribute where PDA will look for roles and/or associations to domains/accounts, each time the user logs in.
    + eg. eduPersonEntitlement
    + Some examples of the URN value inside the provisioning attribute are: +
      +
    • + urn:mace:organization.com:powerdns-admin:Administrator, to set user as Administrator. +
      • +
    • + urn:mace:organization.com:powerdns-admin:User:example.com, to give user access to domain example.com. +
      • +
    • + urn:mace:organization.com:powerdns-admin:User:example.com:example.net, to give user access to domain example.com and add them to account example.net. +
      • +
    • + urn:mace:organization.com:powerdns-admin:User::example.net, to add user to account example.net. +
      • + (supposing example.com, example.net exist.) +
  • - Urn prefix - The prefix used before the static keyword "powerdns-admin" for your entitlements in the ldap server. Must comply with RFC no.8141. + Urn prefix - The urn:mace:organization.com prefix referenced above that is used for your entitlements in the LDAP server.
  • - Purge Roles If Empty - If toggled on, ldap entries that have no valid "powerdns-admin" records to their autoprovisioning field, will lose all their associations with any domain or account, also reverting to a User in the process, despite their current role in the local db.
    If toggled off, in the same scenario they get to keep their existing associations and their current Role. - + Purge Roles If Empty - If toggled on, LDAP entries that have no valid "powerdns-admin" records to their autoprovisioning field, + will lose all their associations with any domain or account, also reverting to a User in the process.
    + If toggled off, in the same scenario they get to keep their existing associations and their current Role.
+ For further information visit the LDAP Autoprovisioning wiki