Is it possible to load roles for ManagementRealm from an LDAP security domain?
psesi Jan 21, 2015 2:36 PMHello,
I am trying to set up Wildfly8.2 to use LDAP for authentication and authorization for the management console. I am able to get authorization working using an LDAP Security domain (see below). However, I can’t quite figure out how to set up associated authorization to allow the user roles read by that security domain be “realized” by the authorization portion of the ManagementRealm. I can get things partially working, by using a combination of LDAP for authentication and the “<properties>” setup for authorization – where I have to add an entry for the user(s) and explicitly define the group (role) that I want to map to the Management Application roles. This is a workaround, but ideally, I want to use the roles as defined in our LDAP domain (e.g., "Web Admin" in example below) and directly map them in the "<access-control>" section of the config.
Note that I use “<jaas>” option in <authentication> to reference the security domain I have defined. One advantage to this (over setting up as “<ldap>”) is that the user provided credentials will be used to bind to ldap – I don’t have to set up a separate “user” and expose those credentials in standalone.xml (<connection>). Unfortunately, <jaas> is not allowed under the <authorization> element as far as I can tell.
So, ideally, I’d like to have the users groups (roles) read/mapped by the security domain on authentication – and not have to set up a separate “ldap/connection” (which is what I've seen in other discussion, etc.) or use a "hard-coded" properties file for that. Is there any way to do that for the ManagementRealm?
Here are the relevant parts of my standalone.xml showing my current “workaround” setup:
…. <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <local default-user="$local" skip-group-loading="true"/> <jaas name="ldap-authn"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> …. </security-realms> …. <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> <group name="Web Admin" realm="ManagementRealm"/> </include> </role> </role-mapping> </access-control> </management> …. <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> …. <security-domain cache-type="default" name="ldap-authn"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="java.naming.provider.url" value="ldaps://ldapsrvr.mydom.com:636"/> <module-option name="java.naming.security.protocol" value="ssl"/> <module-option name="matchOnUserDN" value="false"/> <module-option name="principalDNPrefix" value=""/> <module-option name="principalDNSuffix" value="@mydom.com"/> <module-option name="uidAttributeID" value="sAMAccountName"/> <module-option name="rolesCtxDN" value="OU=USERS,DC=mydom,DC=com"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleNameAttributeID" value="name"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="allowEmptyPasswords" value="false"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem> …
Thanks in advance -
Paul