Teiid login modue role issue on LDAP
sanjay_chaturvedi Aug 3, 2017 6:28 AMHi,
While using LdapLoginModule with DataVirtualisation, there is a case where LDAP login worked but the group/role name assignment does not. Something in the configuration is confusing us.
Say a user Kerry, John(US) is showing properties in LDAP AD browser : (His role/group is identified by CN is "MGB EI GBM")
memberOf | CN=MGB EI GBM,OU=Security,OU=Shared,OU=Services,DC=LOCAL
distinguishedName | CN=Kerry, John(US),OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL
sAMSccountName | kjenny
mailNickName | kjenny
Inside our VDB we create a role name=TESTROLE and Mapped Enterprise group/role=TESTROLE
Inside role-mapping.properties file, we mentioned
MGB\ EI\ GBM=TESTROLE ("\" as escape character)
Standalone.xml ;
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option ...values>
</login-module>
</authentication>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">
<module-option name="rolesProperties" value="${jboss.server.config.dir}/role-mappings.properties" />
<module-option name="replaceRole" value="true" />
</login-module>
</security-domain>
Basic question is : Given properties of user in LDAP browser, what should we put against
rolesCtxDN ==== this is important
uidAttributeID
roleFilter
roleAttributeID
roleNameAttributeID
roleAttributeIsDN
baseCtxDN
baseFilter
bindDN
We are good with ("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"), \
("java.naming.provider.url"=>"ldap://ldaphost.jboss.org"), \
("java.naming.security.authentication"=>"simple"), \
("bindDN"=>"cn=Root,dc=jboss,dc=org"), \
("bindCredential"=>"secret1"), \
Note that ; Inside Ldap browser, we dont have any entry like uid=kjenny,ou=people,ou=....
So not using ("principalDNPrefix"=>"uid="), \
("principalDNSuffix"=>",ou=People,dc=jboss,dc=org"), \
If we place rolesCtxDN=OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL - (DN of the user except CN)
We get the TRACE logs;
Logged in to LDAP server ...
Searching rolesCtxDN ..
----Few more----
Checking search result CN=Kerry, John(US) (login user name was jkenny but here it picked complete name so search looks correct)
But no line in logs is showing what role is assigned to this user.
and there is no error, we are not sure if role "MGB EI GBM" is assigned to this user or not. Connection is good, but when we try select hasRole('TESTROLE') it gives false and object access also gives permission error.
We are connecting to this VDB with user kjenny successfully. But when try to access any object it shows user read entitlement permission denied error.
Could someone please help us with the minimal configuration required to achieve role based secuirty
We are following http://www.opencirclesolutions.nl/en/jboss-data-virtualisatie-mappen-ldap-rollen-naar-vdb-rollen/ link. Its urgent please help.