How to map LDAP Usergroups to Wildfly roles - ldap

we have javaee application running on wildfly 18. authentication is done by kerberos security-domain (com.sun.security.auth.module.Krb5LoginModule). this works just fine.
now we need to know, whether authenticated user belongs to certain usergroup in LDAP.
any idea how to do that? i assume we need to configure LDAP connection and then somehow map LDAP usergroups to wildfly roles, but i have clue where to start.
for any help or direction thank you very much.

I had similar problem like you.
In my case I first needed to migrate from legacy security to elyctron. In elyctron loading users and groups is first step, and then you have opportunity to map roles to whatever you want using role-mappers.
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles" role-mapper="KeepMappedRoleMapper"/>
<realm name="local"/>
</security-domain>
...
<mapped-role-mapper name="KeepMappedRoleMapper" keep-mapped="false" keep-non-mapped="false">
<role-mapping from="SOURCE_GROUP" to="TARGET_GROUP"/>
</mapped-role-mapper>

Related

Configure Tomcat 8 with LDAP realm

I have a problem with the configuration of a LDAP server on Tomcat 8.
I have a LDAP server configured and working on a WAS 8.5 server and I would like to configure the same LDAP on Tomcat.
The WAS configuration is (translating from italian):
User filter: (&(cn=%v)(objectclass=inetOrgPerson))
Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
User ID map: *:cn
Group ID map: *:cn
Map ID member of group: ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember
The Realm tag in server.xml on tomcat is:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
connectionURL="ldap://192.168.0.3:389"
userBase="o=organization,c=it"
userSearch="(cn={0})"
userSubtree="true"
connectionName="cn=test,cn=Directory Administrators,o=organization,c=it"
connectionPassword="testpass"
/>
How can I fill the Realm tag with the role attributes?
And in the web.xml, what role I have to specify? I just want to grant access to all authenticated users.
I think you are already well on your way to authenticate users with the above settings.
Roles
For roles/groups, you can translate the WAS settings as follows:
<...your config...
roleBase="o=organization,c=it"
roleSubtree="true"
roleSearch="(&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
roleName="cn"/>
The roles that a user is assigned in Tomcat, will then be a list of group names from the directory. As this may vary, you will need to set up a number of groups beforehand which are listed in your web.xml. Assigning those groups to users will then give them the appropriate access.
Authenticated Users
If you just want to allow any authenticated user, you can set the attribute allRolesMode to authOnly like this:
<...your config...
allRolesMode="authOnly"/>
Your web.xml should then use * for the role specification like this:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Maybe you should also set the security-role element as indicated here: Tomcat security constraint for valid user
Personally I have no setup which uses authOnly but I know it can be done and have seen it in action.

Openldap and ActiveDirectory authentication

Is it possible to connect to an OpenLDAP server as the active directory with this form
" username#domain "
I have tested this form, it connects with active directory but with openLdap i have to put the full DN.
Does anyone has any idea how to modify my openLDAP to connect as AD if it's possible
Thanks.
If you wants to authenticate Openldap and AD users using same DN you need to add proxy to AD server from openldap server.
You need to use back_ldap module to make AD database as subordinate of Openldap database.
You can add custom attribute in openldap/ad for uniqueness of user mostly we find email attribute as common on both sides.
If you want to use alternative bind names like the userPrincipalName (username#realm) with openLDAP, you need the rewrite/remap overlay slapo-rwm coming with version 2.4.
A very simple example would be:
# Typed and not tested!
rwm-rewriteEngine on
rwm-rewriteContext addName
rwm-rewriteRule "(.*)" "userPrincipalName=$1" ":"
rwm-rewriteMap ldap upn2dn "ldap://host/dc=my,dc=org?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule ".*" "${upn2dn($0)}" ":#I"
EDIT
In reply to the question in your comment: LDAP as a protocol has no concept of uniqueness, it's a product feature. With OpenLDAP for example, you can use the unique overlay to enforce uniqueness for certain attribute types in suitable backends. With phpLDAPAdmin you can configure the attribute types that shall be tested for uniqueness by that client.

Authenticate users with LDAP server

I'm using LDAP Login Module to authenticate users with LDAP server in hybrid app. In authenticationConfig.xml I configured loginModule parameters.
<parameter name="ldapSecurityPrincipalPattern"
value="uid={username}, cn=users,dc=kadrlar,dc=uz"/>
<parameter name="ldapSearchFilterPattern"
value="(uid={username})"/>
<parameter name="ldapSearchBase"
value="dc=kadrlar,dc=uz"/>
Authentication works fine. This is one part of users.
I have some users in LDAP where I must use ldapSecurityPrincipalPattern with value="uid={username}, cn=users,dc=core,dc=kadrlar,dc=uz"/>
All other parameters are the same. This is another part of users.
How can I point the value of ldapSecurityPrincipalPattern to be able to authenticate any user from both parts of users without changing the value of ldapSecurityPrincipalPattern?
ldapSecurityPrincipalPattern is used to tell the LDAP adapter what identifying information is needed in order to successfully authenticate the user.
for example if your LDAP server was setup to use email, your pattern would be {username}#domain.com. Your question is equivalent to asking how to get the adapter to authenticate both {username}#google.com and {username}#stackoverflow.com, Which is obviously impossible since the LDAP adapter doesn't have the functionality to handle multiple attempts and the logic involved in dealing with a fail to connect and retrying using another security pattern.
A possible solution would be to set the the pattern as just {username},
and force the end user to pass in the full email address including the domain.
Similarly, in your case what you could do is set ldapSecurityPrincipalPattern to {username}, and introduce some logic in the implementation, that takes the login name from your end user,
and decide whether to set username="uid={login}, cn=users,dc=kadrlar,dc=uz"
or username="uid={login}, cn=users,dc=core,dc=kadrlar,dc=uz".

Liferay Import LDAP users multiple base dn

I have to import users from two different base dn. My Users lie in following structures
ou=users,ou=dev,dc=abc,dc=net
ou=users,ou=qa, dc=abc,dc=net
Rest of the properties like base.provider.url and security credentials are same for both. What is the correct way to import and authenticate users from both the above DNs in Liferay.
Right now i have provided properties like this in portal-ext.properties
ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=ou=users,ou=dev,dc=abc,dc=net
ldap.security.principal.0=username
ldap.security.credentials.0=password
ldap.base.provider.url.1=ldap://localhost:10389
ldap.base.dn.1=ou=users,ou=qa,dc=abc,dc=net
ldap.security.principal.1=username
ldap.security.credentials.1=password
Is it the correct way of importing and authenticating in my scenario. It seems to work intermittently. That is sometimes user is authenticated against ldap and sometimes it is not. I have not changed any settings from Control Panel.
Please have a look into following link it may help you..
Instead of using portal-ext.properties file use Admin Control panel to configure LDAP.
http://www.liferaysavvy.com/2013/10/liferay-ldap-integration_8.html

Intranet Active Directory Auth with VB.NET

I'm developing an intranet web app and I'm learning how to hook VB into the Active Directory. We're going to be doing some location specific permissions, and my boss wants (if possible) me to hook into the Active Directory to get the users location.
I think that all I need to do is get the user name, but I'm not sure what is the best way to do that. We're a Microsoft only shop, so IE and IIS are the order of the day. To access the intranet you have to log on to the computer using our domain, so that's one level of security, but then I need to authenticate and make sure that user has permissions to make the changes. I'm thinking we'll either have a modifier (if there's not one already) in the AD info, or keep a permissions table in a database, but the former is probably preferred.
I know that IIS has a feature that allows/requires authentication but I'm not exactly sure how that's supposed to work.
So what's the best/easiest/somewhat(most?) secure way to get the users credentials? I could always do a login page but it would be much nicer if I could just get their AD credentials in the background.
Thanks!
you need to disable anonymous auth for your IIS site and enable windows-auth instead.
now go to your web.config and change the following
<authentication mode="Windows">
...
</authentication>
see http://msdn.microsoft.com/en-au/library/532aee0e(v=VS.80).aspx
&
if neccesary
<identity impersonate="true" />
see http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx
now you should be able to get the current user with
HttpContext.Current.User.Identity.Name
to check if the user is in a specific group you can use
HttpContext.Current.User.IsInRole("YourActiveDirectoryGroup")
IIS can be configured to use Integrated Authentication which will give you access to the samaccountname (pre-Windows 2000 logon) of the user. With that you can do an LDAP query against AD and check group membership. If the user is a member of the CanModifyStuffGroup (that you have created within AD and added users to) then let them make changes, otherwise give them the read-only version - or whatever.