To access protected resources, a special iChain Object-Level Access Control (OLAC) plug-in (an LDAP plug-in) is available to access the database and retrieve the additional information. By default this plug-in allows you to define attributes in the LDAP datastore that are embedded and passed within the HTTP request header or as a query string. You can assign a name as the tag to the data.
When OLAC is configured to use a multivalued LDAP attribute, the values of that attribute are returned from the LDAP query as a comma-delimited list and forwarded by OLAC to the Web server in the same format. Some back-end Web applications might not be able to process this comma-delimited value. The LDAP cn attribute is actually a multivalued attribute. (In ConsoleOne®, the values under the user object's Other Name: field on the General > Identification page are actually stored as part of the multivalued cn.) To configure OLAC to send only the user's common name (for example, user1), even when the cn attribute has multiple values, specify the LDAP attribute uid instead of cn in the OLAC configuration.
iChain also supports additional plug-ins called CONSTANT, SECRETSTORE, and INTERNAL. The CONSTANT plug-in allows you to pass the same constant literal with every OLAC request. This is particularly valuable when an application requires a constant to be passed and the administrator does not want to include the constant in each user object (for easier setup and maintenance).
The following table lists the LDAP and CONSTANT plug-ins' corresponding entries for the Data Source and Value fields in ConsoleOne.
The INTERNAL OLAC data source obtains user information that is available in the proxy. This allows the login query string to be passed to the Web server. It displays content based on login information. The following table lists the OLAC values and corresponding entries for the INTERNAL data source.
The OLAC Parameters dialog box is shown below:
Figure 13-1 OLAC Parameters
Because the LDAP plug-in is based on iChain APIs, you can customize iChain and create OLAC plug-ins to integrate your applications as needed. For more information about the APIs for customizing your iChain infrastructure, see the Novell appnote, Developing a Custom OLAC Driver.
NOTE:Only administrators familiar with programming principles and Java programming syntax should attempt to customize OLAC plug-ins.
The settings for the OLAC Frameworks and its plug-ins are stored in the iChain Access Control profile and the oac.properties file, which is typically found in the sys:/ichain/oac directory on the iChain Proxy Server. The configuration file contains a section for the framework as well as one for the plug-in. The following table lists the valid OLAC options for each section: