During the implementation of some new PKIs several users have serious problems because OpenCA has no own powerful accesscontrol and the implemented accesscontrol uses a proprietary modified Base 64 encoding for filenames. The result of this difficult usage was that the developer itself (me ;-) ) don't use this RBAC implementation. So we take the ideas from the first try and start a second XML based try :-)
The accesscontrol has one central configurationfile for every web interface in etc/access_control/. This configurationfile contains references to the token configration and to the access control list if such a list will be used. The file itself has the usual OpenCA structure:
<openca> <access_control> The complete configuration should be here. </access_control> </openca>
The problem of the old system was the high complexity therefore it was one main goal to made a modular design that is maintainable by different developers. The system consists therefore of four parts:
channel verification
login
session management
ACLs
Every step is a completely isolated pass except of the second and the third step which are unified in the second pass. It is necessary to develop a Section 1, “Slotechnology” which handles the sessions and the data which is stored in the sessions because the actual accesscontrol is only usable with web interfaces but in the far future there should be at minimum a Tk interface.
The different passes works like follows.
The exact configuration of the different passes is explained in the administration guide.