I have a problem with the configuration of a LDAP server on Tomcat 8.
I have a LDAP server configured and working on a WAS 8.5 server and I would like to configure the same LDAP on Tomcat.
The WAS configuration is (translating from italian):
User filter: (&(cn=%v)(objectclass=inetOrgPerson))
Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
User ID map: *:cn
Group ID map: *:cn
Map ID member of group: ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember
The Realm tag in server.xml on tomcat is:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
connectionURL="ldap://192.168.0.3:389"
userBase="o=organization,c=it"
userSearch="(cn={0})"
userSubtree="true"
connectionName="cn=test,cn=Directory Administrators,o=organization,c=it"
connectionPassword="testpass"
/>
How can I fill the Realm tag with the role attributes?
And in the web.xml, what role I have to specify? I just want to grant access to all authenticated users.
I think you are already well on your way to authenticate users with the above settings.
Roles
For roles/groups, you can translate the WAS settings as follows:
<...your config...
roleBase="o=organization,c=it"
roleSubtree="true"
roleSearch="(&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
roleName="cn"/>
The roles that a user is assigned in Tomcat, will then be a list of group names from the directory. As this may vary, you will need to set up a number of groups beforehand which are listed in your web.xml. Assigning those groups to users will then give them the appropriate access.
Authenticated Users
If you just want to allow any authenticated user, you can set the attribute allRolesMode to authOnly like this:
<...your config...
allRolesMode="authOnly"/>
Your web.xml should then use * for the role specification like this:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Maybe you should also set the security-role element as indicated here: Tomcat security constraint for valid user
Personally I have no setup which uses authOnly but I know it can be done and have seen it in action.
Related
In a Tomcat 9 I have a LDAP authentication running via the JNDIRealm. So my server.xml contains:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://mysub.mydomain.com:1234"
userSubtree="true"
userBase="OU=Name A,OU=Name B,DC=doma,DC=domb,DC=com"
userSearch="(xyzAccountName={0})"
userRoleName="memberof"
roleBase="OU=Groups,DC=doma,DC=domb,DC=com"
roleName="CN"
roleSearch="(memberOf={0})"
roleSubtree="true"
roleNested="true"/>
When I use this in a JSP page displaying request.getUserPrincipal().getName() I see:
GenericPrincipal[USERNAME(CN=Special Users,OU=Name C,OU=Groups,DC=doma,DC=domb,DC=com,CN=Other Users,OU=Name D,DC=doma,DC=domb,DC=com,CN=All Users,OU=Name D,DC=doma,DC=domb,DC=com,)]
So the user USERNAME is authenticated via the roles Special Users, Other Users and All Users.
I now want that only users with the roles Special Users and Other Users are allowed to see this JSP page. Users who have only the All Users role should be rejected (getting a 401 or 403 error) from Tomcat.
How do I do this? I tried setting
userRoleName="Special Users,Other Users"
in the JNDIRealm, but that doesn't work at all.
we have javaee application running on wildfly 18. authentication is done by kerberos security-domain (com.sun.security.auth.module.Krb5LoginModule). this works just fine.
now we need to know, whether authenticated user belongs to certain usergroup in LDAP.
any idea how to do that? i assume we need to configure LDAP connection and then somehow map LDAP usergroups to wildfly roles, but i have clue where to start.
for any help or direction thank you very much.
I had similar problem like you.
In my case I first needed to migrate from legacy security to elyctron. In elyctron loading users and groups is first step, and then you have opportunity to map roles to whatever you want using role-mappers.
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles" role-mapper="KeepMappedRoleMapper"/>
<realm name="local"/>
</security-domain>
...
<mapped-role-mapper name="KeepMappedRoleMapper" keep-mapped="false" keep-non-mapped="false">
<role-mapping from="SOURCE_GROUP" to="TARGET_GROUP"/>
</mapped-role-mapper>
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
I currently try to configure Discourse to only allow users in a specific ldap group to log in. Discourse has a plugin called discourse-ldap auth ( https://github.com/jonmbake/discourse-ldap-auth ). This plugin uses the omniauth ldap module: https://github.com/omniauth/omniauth-ldap
My discourse plugin configuration (the configuration is actually used by the discourse plugin for the omniauth ldap module):
ldap enabled: true
ldap hostname: the hostname of my ldap server
ldap port: 389
ldap method: plain
ldap base: the base of my ldap server
ldap uid: userPrincipalName
ldap bind dn: Nothing
ldap password: Nothing
ldap filter: (&(userPrincipalName=%{username})(memberOf=cn=[the name of the required group],ou=....,[base]))
When using this configuration, nobody can log in to the forum. When I use the bind dn and password, everybody can log in.
I also tried this filter without success (copied from my ldap servers filter):
(&(&(&(userPrincipalName=%{username})(memberOf=[dn of the group]))))
What do I have to configure, to only allow users in that specific group to log in?
I didn't found any errors or indicators in the log. Please help!
Thanks fou your help and attention!
You do need the "ldap dn" and "ldap password". Those are the credentials used to authenticate to LDAP so you can lookup people's accounts. Usually, that is a service account only used by your application.
The filter should probably look something like this:
(&(sAMAccountName=%{username})(memberOf:1.2.840.113556.1.4.1941:=[dn of the group]))
Users will usually log in with the sAMAccountName, which is usually called just the "username". Whenever you see an account in the DOMAIN\username format, that username is the sAMAccountName.
The userPrincipalName is usually in the format of username#domain.com. It is sometimes the same as the email address, but it doesn't have to be.
The crazy number I put in that query tells Active Directory to search recursively through groups. So that would allow you to put groups into your authentication group, and members of that new group would be given access to your application too. Without that, only direct members of that group will have access.
When I add a data source that contain the user and password properties in the server.xml in WebSphere Liberty
Example:
<dataSource jdbcDriverRef="db2-driver" type="javax.sql.DataSource">
<properties.db2.jcc user="MyUser" password="MyPassword"
databaseName="dbName" serverName="localhost" portNumber="50000"/>
</dataSource>
I get the following warning in the logs:
J2CA8050I: An authentication alias should be used instead of defining a user name
and password on dataSource[default-0].
Looking at how to do this in Configuring authentication aliases for the Liberty profile I see them put the user and password in another element called authData like this:
<authData id="auth1" user="MyUser" password="MyPassword"/>
I don't get what advantage moving the user name and password from the dataSource element to the authData element is giving me. In both cases the password is showing in plain text in the server.xml file.
WebSphere Liberty uses an adapter to manage it's database connections. By specifying an authentication alias the password used by the adapter will be encrypted. If you do not use an auth alias, the userID and password will get stored without encryption on adapter properties.
Additionally, aliases provide another layer of abstraction since the aliases themselves are a resource. The benefit here is that the alias can be configured independently if the database user/password needs to be changed and there are many datasources configured, they can all point to the same auth data.
Use the securityUtility encode command in the wlp/bin directory to encode the password in your server.xml.
If you add authentication data via WebSphere Developer Tools (WDT), you will be prompted during setting password to encode (xor) /encrypt (aes) it. And it will be saved in server.xml for example like that:
<authData user="user" password="{xor}Lz4sLCgwLTs="></authData>