Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-1126

LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

XMLWordPrintable

    • DR1
    • Hide

      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update

      Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      Show
      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.
    • Hide

      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work
      2. Define a LDAP security realm in cluster.xml
      3. Define authorisation using group-to-principal method
      4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper"

      for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments

      Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.

      Show
      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work 2. Define a LDAP security realm in cluster.xml 3. Define authorisation using group-to-principal method 4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper" for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.

      When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.

      Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"

      The current workaround is to use the use a ldap authorization like

      <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
       <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
                                      <membership-filter principal-attribute="uniqueMember"/>
       </group-to-principal>
       </group-search>
      

      and define the cache-container authorisation like

       <security>
            <authorization>
                             <!-- This does not work as the role extraction uses case sensitive extraction of cn -->
                              <!-- common-name-role-mapper/ -->
                              <identity-role-mapper/>
                              <role name="ClusterAdmins" permissions="ALL"/>
                              <role name="Developers" permissions="WRITE"/>
                              <role name="Business" permissions="READ"/>
                              <role name="Managers" permissions="ALL_READ ALL_WRITE"/>
             </authorization>
      </security>
      

            ttarrant@redhat.com Tristan Tarrant
            ksampath@redhat.com Kamesh Sampath (Inactive)
            Tristan Tarrant
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: