| [higgins-dev] Bandit Realm Definition Samples |
Attached are a couple of sample bandit realm definition files. Though, I've also attached the governing XML Schema, detailed realm configuration documentation is available at http://www.bandit-project.org/index.php/Realm_Configuration if you want more detail on anything in particular. Each Bandit realm may be represented by parts of both Higgins Context Providers and Contexts. At any rate, that's the mapping we're currently try to make so that we can implement all of what we've done within the Higgins framework. Thanks, Tom
<?xml version="1.0" encoding="UTF-8"?> <bci:realms xmlns:bci="http://www.bandit-project.org/commonidentity"; xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os:access_control-xacml-2.0-policy-schema-os.xsd"> <bci:env prop="java.naming.ldap.attributes.binary" value="objectGUID"/> <bci:schemaDefinition desc="Shared mappings for eDirectory schema" id="genericCurEdirMappings"> <bci:key> <bci:name>GUID</bci:name> <bci:outputAttrTransform evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>objectGUID</xacml:AttributeValue> </xacml:Apply> </bci:outputAttrTransform> </bci:key> <bci:key> <bci:name>objectGUID</bci:name> <bci:inputAttrTransform evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>GUID</xacml:AttributeValue> </xacml:Apply> </bci:inputAttrTransform> </bci:key> <bci:key> <bci:name>role</bci:name> <bci:searchSelection evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search-join"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:string-to-searchresult"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:name-to-string-bag"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-searchresult"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>baseObject</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>securityEquals</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>groupMembership</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>objectClass</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</xacml:AttributeValue> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-searchresult"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:VariableReference VariableId="searchRoots"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>subTree</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string";>(|(&(objectClass=groupOfNames)(|(member={0})(equivalentToMe={0})))(&(objectClass=organization)(equivalentToMe={0}))(&(objectClass=organizationalRole)(roleOccupant={0})))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> </bci:searchSelection> <bci:searchFilter evalType="bandit-xacml"> <xacml:Policy PolicyId="genericPolicy27" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <xacml:Target/> <xacml:Rule Effect="Permit" RuleId="genericRule27"> <xacml:Condition> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:name-to-string-bag"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-size"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string";>(|(&(objectClass=groupOfNames)(|(member={0})(equivalentToMe={0})))(&(objectClass=organization)(equivalentToMe={0}))(&(objectClass=organizationalRole)(roleOccupant={0})))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>1</xacml:AttributeValue> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-size"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>(|(securityEquals={0})(groupMembership={0})(objectClass={0}))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>1</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> <!-- end or --> </xacml:Condition> <xacml:Conclusions> <xacml:TrueConclusion> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:env-attr-set"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:bandit:names:ia:xacml:1.0:evaluation-results</xacml:AttributeValue> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-selection" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:TrueConclusion> </xacml:Conclusions> </xacml:Rule> </xacml:Policy> </bci:searchFilter> </bci:key> </bci:schemaDefinition> <bci:schemaDefinition desc="Shared mappings for Active Directory schema" id="genericCurADMappings"> <bci:key> <bci:name>sample_kumquat</bci:name> <bci:outputAttrTransform evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>sample_AD_kumquat</xacml:AttributeValue> </xacml:Apply> </bci:outputAttrTransform> </bci:key> </bci:schemaDefinition> <bci:realm connectorType="org.bandit.ia.connectors.LDAPConnectorInitialCtxFactory" desc="Directory Service: My AD Test" id="6289E76C-0883-49f1-9DCE-85293A83ED3E"> <bci:env prop="java.naming.security.authentication" value="simple"/> <bci:env prop="java.naming.security.principal" value="Administrator@xxxxxxxxxxxxxxxxxxxxxx"/> <bci:env prop="java.naming.security.credentials" value="novell"/> <bci:env prop="java.naming.referral" value="follow"/> <bci:connection xsi:type="bci:LDAPConnector"> <bci:address>ldap://gumbo.provo.novell.com:389/dc=gumbo,dc=provo,dc=novell,dc=com</bci:address> </bci:connection> <bci:schemaReference id="genericCurADMappings"/> </bci:realm> <bci:realm connectorType="org.bandit.ia.connectors.LDAPConnectorInitialCtxFactory" desc="Directory Service: My eDirectory Test" id="96769C79-7C08-4187-8215-220B1FA7A12B"> <bci:env prop="java.naming.security.authentication" value="simple"/> <bci:env prop="java.naming.security.principal" value="cn=admin,o=system"/> <bci:env prop="java.naming.security.credentials" value="novell"/> <bci:connection xsi:type="bci:LDAPConnector"> <bci:address>ldap://gumbo.provo.novell.com:10389</bci:address> </bci:connection> <bci:action id="contextless-search"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-string-bag"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search-join-until"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>one</xacml:AttributeValue> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=system</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>subTree</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>cn={0}</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <!-- end of search --> </xacml:Apply> <!-- end of search-join-until --> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</xacml:AttributeValue> </xacml:Apply> <!-- end of searchresults-to-string-bag --> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-scope" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-selection" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bacndit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <!-- end of search --> </bci:action> <xacml:VariableDefinition VariableId="contextless-search-locations"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=invalid</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=system</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=whocares</xacml:AttributeValue> </xacml:Apply> </xacml:VariableDefinition> <bci:action id="contextless-search2"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-string-bag"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:VariableReference VariableId="contextless-search-locations"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>subTree</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>one</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>cn={0}</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <!-- end of search --> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</xacml:AttributeValue> </xacml:Apply> <!-- end of searchresults-to-string-bag --> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-scope" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-selection" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bacndit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <!-- end of search --> </bci:action> <xacml:VariableDefinition VariableId="searchRoots"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>dc=novell,dc=com</xacml:AttributeValue> </xacml:Apply> </xacml:VariableDefinition> <bci:schemaReference id="genericCurEdirMappings"/> <bci:schemaDefinition> <bci:key> <bci:name>name</bci:name> <bci:inputAttrExpansion evalType="bandit-xacml"> <xacml:Policy PolicyId="policy-name-inputAttrExpansion" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <xacml:Target/> <xacml:Rule Effect="Permit" RuleId="-name-inputAttrExpansion"> <xacml:Condition> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size"> <xacml:EnvironmentAttributeDesignator AttributeId="RHS" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>0</xacml:AttributeValue> </xacml:Apply> </xacml:Condition> <xacml:Conclusions> <xacml:TrueConclusion> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:env-attr-set"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:bandit:names:ia:xacml:1.0:evaluation-results</xacml:AttributeValue> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:StringVarSubstitution"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>(|(t=*)(cn=*)(o=*)(ou=*))</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> </xacml:TrueConclusion> <xacml:NotApplicableConclusion> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:env-attr-set"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:bandit:names:ia:xacml:1.0:evaluation-results</xacml:AttributeValue> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:StringVarSubstitution"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>(|(t${OP}${RHS})(cn${OP}${RHS})(o${OP}${RHS})(ou${OP}${RHS}))</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> </xacml:NotApplicableConclusion> </xacml:Conclusions> </xacml:Rule> </xacml:Policy> </bci:inputAttrExpansion> <bci:searchSelection evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-searchresults"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-scope" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>t</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>cn</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>ou</xacml:AttributeValue> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</xacml:AttributeValue> </xacml:Apply> </bci:searchSelection> </bci:key> </bci:schemaDefinition> </bci:realm> <bci:realm desc="Realm Join: My Test eDirectory + My Test AD" id="E263CCC1-8F9D-4551-B786-068AA84E8564"> <bci:connection xsi:type="bci:JoinConnector"> <bci:realmID>96769C79-7C08-4187-8215-220B1FA7A12B</bci:realmID> <bci:realmID>6289E76C-0883-49f1-9DCE-85293A83ED3E</bci:realmID> </bci:connection> </bci:realm> </bci:realms>
<bci:realms xmlns:bci="http://www.bandit-project.org/commonidentity"; xmlns:bxi="http://www.bandit-project.org/commonidentity/xmlidentity"; xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <bci:schemaDefinition desc="Shared mappings for eDirectory schema" id="genericCurEdirMappings"> <bci:key> <bci:name>GUID</bci:name> <bci:outputAttrTransform evalType="bandit-xacml"> <xacml:VariableReference VariableId="guid:outputAttrTransform"/> </bci:outputAttrTransform> </bci:key> <bci:key> <bci:name>objectGUID</bci:name> <bci:inputAttrTransform evalType="bandit-xacml"> <xacml:VariableReference VariableId="objectGUID:inputAttrTransform"/> </bci:inputAttrTransform> </bci:key> </bci:schemaDefinition> <xacml:VariableDefinition VariableId="guid:outputAttrTransform"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>objectGUID</xacml:AttributeValue> </xacml:VariableDefinition> <bci:schemaDefinition id="onlyUsedForTesting"> <bci:key> <bci:name>cn</bci:name> <bci:outputAttrTransform evalType="bandit-xacml"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>cnKumquat</xacml:AttributeValue> </bci:outputAttrTransform> </bci:key> <bci:key> <bci:name>objectGUID</bci:name> <bci:inputAttrTransform evalType="bandit-xacml"> <xacml:VariableReference VariableId="objectGUID:inputAttrTransform"/> </bci:inputAttrTransform> </bci:key> </bci:schemaDefinition> <bci:realm connectorType="org.bandit.ia.connectors.LDAPConnectorInitialCtxFactory" desc="LDAP Directory: Bandit" id="realm.ldap_bandit"> <xacml:VariableDefinition VariableId="objectGUID:inputAttrTransform"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>GUID</xacml:AttributeValue> </xacml:VariableDefinition> <xacml:VariableDefinition VariableId="searchRoots"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=bandit</xacml:AttributeValue> </xacml:Apply> </xacml:VariableDefinition> <xacml:VariableDefinition VariableId="addRoot"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>o=bandit</xacml:AttributeValue> </xacml:VariableDefinition> <bci:connection xsi:type="bci:LDAPConnector"> <bci:address>ldap://localhost:50389</bci:address> </bci:connection> <bci:schemaReference id="genericCurEdirMappings"/> <bci:schemaDefinition> <bci:key> <bci:name>name</bci:name> <bci:searchSelection evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:string-to-searchresult"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </bci:searchSelection> <bci:searchFilter evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-scope" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-selection" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>(|(t={0})(cn={0})(o={0})(ou={0}))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </bci:searchFilter> </bci:key> <bci:key> <bci:name>role</bci:name> <bci:searchSelection evalType="bandit-xacml"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search-join"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:string-to-searchresult"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:name-to-string-bag"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-searchresult"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>baseObject</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>securityEquals</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>groupMembership</xacml:AttributeValue> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>objectClass</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</xacml:AttributeValue> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-to-searchresult"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:VariableReference VariableId="searchRoots"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>subTree</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string";>(|(&(objectClass=groupOfNames)(|(member={0})(equivalentToMe={0})))(&(objectClass=organization)(equivalentToMe={0}))(&(objectClass=organizationalRole)(roleOccupant={0})))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:attribute-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> </bci:searchSelection> <bci:searchFilter evalType="bandit-xacml"> <xacml:Policy PolicyId="genericPolicy27" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <xacml:Target/> <xacml:Rule Effect="Permit" RuleId="genericRule27"> <xacml:Condition> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:name-to-string-bag"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-size"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter" DataType="http://www.w3.org/2001/XMLSchema#string";>(|(&(objectClass=groupOfNames)(|(member={0})(equivalentToMe={0})))(&(objectClass=organization)(equivalentToMe={0}))(&(objectClass=organizationalRole)(roleOccupant={0})))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>1</xacml:AttributeValue> </xacml:Apply> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:searchresults-size"> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"/> <!-- no selection list --> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>(|(securityEquals={0})(groupMembership={0})(objectClass={0}))</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-filter-args" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>1</xacml:AttributeValue> </xacml:Apply> </xacml:Apply> <!-- end or --> </xacml:Condition> <xacml:Conclusions> <xacml:TrueConclusion> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:env-attr-set"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:bandit:names:ia:xacml:1.0:evaluation-results</xacml:AttributeValue> <xacml:Apply FunctionId="urn:bandit:names:ia:xacml:1.0:function:search"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:base-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>base</xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator AttributeId="urn:bandit:names:ia:xacml:1.0:function-parm:search-selection" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> </xacml:Apply> </xacml:TrueConclusion> </xacml:Conclusions> </xacml:Rule> </xacml:Policy> </bci:searchFilter> </bci:key> </bci:schemaDefinition> </bci:realm> <bci:realm connectorType="org.bandit.ia.connectors.XMLFileConnectorInitialCtxFactory" desc="XML File: Local Host" id="realm.local_xml"> <bci:connection xsi:type="bci:XMLFileConnector"> <bci:identityList> <bxi:identity> <bxi:name>jim</bxi:name> <bxi:role>Employee</bxi:role> <bxi:role>Brewmeister</bxi:role> <bxi:role>Bartender</bxi:role> <bxi:e-mail>jim@xxxxxxxxxxxxx</bxi:e-mail> </bxi:identity> <bxi:identity> <bxi:name>tom</bxi:name> <bxi:role>Employee</bxi:role> <bxi:role>Janitor</bxi:role> <bxi:shoeSize>9</bxi:shoeSize> </bxi:identity> <bxi:identity> <bxi:name nameType="LDAP">cn=dbuss,ou=People,o=bandit</bxi:name> <bxi:role>Patron</bxi:role> <bxi:role>Gold Star</bxi:role> <bxi:role>Sopoli Paimen</bxi:role> <bxi:phone>801-555-5555</bxi:phone> </bxi:identity> <bxi:identity> <bxi:name nameType="LDAP">cn=jimse,ou=People,o=bandit</bxi:name> <bxi:role>Novell Employee</bxi:role> <bxi:role>Gold Star</bxi:role> <bxi:role>Developer</bxi:role> <bxi:SSN>555-55-5555</bxi:SSN> </bxi:identity> <bxi:identity> <bxi:name nameType="LDAP">cn=tdoman,ou=People,o=bandit</bxi:name> <bxi:role>Novell Employee</bxi:role> <bxi:role>Superstar</bxi:role> <bxi:role>Perdedor</bxi:role> <bxi:SSN>000-00-0000</bxi:SSN> <bxi:sport>Football</bxi:sport> <bxi:sport>Hockey</bxi:sport> <bxi:sport>Soccer</bxi:sport> </bxi:identity> <bxi:identity> <bxi:name nameType="RFC822">seth@xxxxxxxxxxxxxxxxx</bxi:name> <bxi:role>Developer</bxi:role> </bxi:identity> </bci:identityList> </bci:connection> </bci:realm> <bci:realm desc="Realm Join: LDAP + XML" id="realm.ldap_bandit+local_xml"> <bci:connection xsi:type="bci:JoinConnector"> <bci:realmID>realm.ldap_bandit</bci:realmID> <bci:realmID>realm.local_xml</bci:realmID> </bci:connection> </bci:realm> </bci:realms>
Attachment:
realms.xsd
Description: Binary data