Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-7712

LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • Hide

      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work
      2. Define a LDAP security realm in cluster.xml
      3. Define authorisation using group-to-principal method
      4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper"

      for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments

      Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.

      Show
      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work 2. Define a LDAP security realm in cluster.xml 3. Define authorisation using group-to-principal method 4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper" for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.
    • Hide

      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update

      Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      Show
      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.

      Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"

      The current workaround is to use the use a ldap authorization like

      <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
       <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
                                      <membership-filter principal-attribute="uniqueMember"/>
       </group-to-principal>
       </group-search>
      

      and define the cache-container authorisation like

       <security>
            <authorization>
                             <!-- This does not work as the role extraction uses case sensitive extraction of cn -->
                              <!-- common-name-role-mapper/ -->
                              <identity-role-mapper/>
                              <role name="ClusterAdmins" permissions="ALL"/>
                              <role name="Developers" permissions="WRITE"/>
                              <role name="Business" permissions="READ"/>
                              <role name="Managers" permissions="ALL_READ ALL_WRITE"/>
             </authorization>
      </security>
      

        1. example.com.ldif
          10 kB
        2. jdg-security-demo.tar.gz
          3 kB
        3. ldap_cluster_notworking.xml
          25 kB
        4. ldap_cluster_workaround.xml
          26 kB

              ttarrant@redhat.com Tristan Tarrant
              ksampath@redhat.com Kamesh Sampath (Inactive)
              Archiver:
              rhn-support-adongare Amol Dongare
              Tristan Tarrant

                Created:
                Updated:
                Resolved:
                Archived: