8 Replies Latest reply on Aug 23, 2017 11:52 AM by rareddy

    Teiid login modue role issue on LDAP

    sanjay_chaturvedi

      Hi,

       

      While using LdapLoginModule with DataVirtualisation, there is a case where LDAP login worked but the group/role name assignment does not. Something in the configuration is confusing us.

       

      Say a user Kerry, John(US) is showing properties in LDAP AD browser : (His role/group is identified by CN is "MGB EI GBM")

       

      memberOf           | CN=MGB EI GBM,OU=Security,OU=Shared,OU=Services,DC=LOCAL

      distinguishedName  | CN=Kerry, John(US),OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL

      sAMSccountName   | kjenny

      mailNickName   | kjenny

       

      Inside our VDB we create a role name=TESTROLE and Mapped Enterprise group/role=TESTROLE

      Inside role-mapping.properties file, we mentioned

      MGB\ EI\ GBM=TESTROLE ("\" as escape character)

       

      Standalone.xml ;

       

      <security-domain name="teiid-security" cache-type="default">

      <authentication>

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

        <module-option ...values>

      </login-module>

      </authentication>

      <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">

                       <module-option name="rolesProperties" value="${jboss.server.config.dir}/role-mappings.properties" />

                       <module-option name="replaceRole" value="true" />

      </login-module>

      </security-domain>

       

      Basic question is : Given properties of user in LDAP browser, what should we put against

      rolesCtxDN   ==== this is important

      uidAttributeID

      roleFilter

      roleAttributeID

      roleNameAttributeID

      roleAttributeIsDN

      baseCtxDN

      baseFilter

      bindDN

       

       

      We are good with  ("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"), \

          ("java.naming.provider.url"=>"ldap://ldaphost.jboss.org"), \

          ("java.naming.security.authentication"=>"simple"), \

          ("bindDN"=>"cn=Root,dc=jboss,dc=org"), \

          ("bindCredential"=>"secret1"), \

       

       

      Note that ; Inside Ldap browser, we dont have any entry like uid=kjenny,ou=people,ou=....

      So not using    ("principalDNPrefix"=>"uid="), \

          ("principalDNSuffix"=>",ou=People,dc=jboss,dc=org"), \

       

      If we place rolesCtxDN=OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL - (DN of the user except CN)

      We get the TRACE logs;

      Logged in to LDAP server ...

      Searching rolesCtxDN ..

      ----Few more----

      Checking search result CN=Kerry, John(US) (login user name was jkenny but here it picked complete name so search looks correct)

       

      But no line in logs is showing what role is assigned to this user.

       

      and there is no error, we are not sure if role "MGB EI GBM" is assigned to this user or not. Connection is good, but when we try select hasRole('TESTROLE') it gives false and object access also gives permission error.

       

      We are connecting to this VDB with user kjenny successfully. But when try to access any object it shows user read entitlement permission denied error.

       

      Could someone please help us with the minimal configuration required to achieve role based secuirty

      We are following http://www.opencirclesolutions.nl/en/jboss-data-virtualisatie-mappen-ldap-rollen-naar-vdb-rollen/ link. Its urgent please help.

        • 1. Re: Teiid login modue role issue on LDAP
          rareddy

          Did you see teiid-documents/LoginModules.adoc at master · teiid/teiid-documents · GitHub

           

          There are some role based properties. Also there are few community threads on the subject, so sure to search.

          • 2. Re: Teiid login modue role issue on LDAP
            sanjay_chaturvedi

            Hi Ramesh,

             

            Thanks for picking this but I have already gone through several articles, Only one(which I pasted in last comment) actually describes VDB part as well.

            I am stuck on this

             

            LdapBrowser : Search for kjenny

             

            memberOf           | CN=MGB EI GBM,OU=Security,OU=Shared,OU=Services,DC=LOCAL

            distinguishedName  | CN=Kerry, John(US),OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL

            sAMSccountName   | kjenny

            mailNickName   | kjenny

             

            If we go to group MGB EI GBM in LDAP browser, we got  :

             

            member           | CN=Kerry, John(US),OU=Users,OU=IT,OU=Corp,OU=usga9999,OU=Users,DC=LOCAL

            distinguishedName  | CN=MGB EI GBM,OU=Security,OU=Shared,OU=Services,DC=LOCAL

            sAMSccountName   | MGB EI GBM

            mailNickName   | MGB EI GBM

             

            VDB setup and role-mapping.properties I already described in last post. Now user successfully logged in with user- "kjenny" (not with full name). We are still facing entitlement issue.

             

            we know that rolCtxDN should be OU=Security,OU=Shared,OU=Services,DC=LOCAL, but here there is no property which matches kjenny, though it has a member named Kerry, John(US), but how to match this as in logs filterargs are kjenny only, which could only match in user's profile....

             

             

            uidAttributeId=memberOf

            rolesCtxDN=OU=Security,OU=Shared,OU=Services,DC=LOCAL            -- DN of Group

            roleAttributeID=member

            roleAttributeIsDN=false                              -- we tried true too

            roleNameAttributeId=CN

             

            There is absolutely no error in logs, Now I am not sure if the issue is wit config ? Which role is assigned to user ? Or there is any issue with VDB/properties file. Any sort of logging which can let us know that logged in user is assigned to which role ?(TRACE to org.jboss.security is not showing that). Thread Re: Role mapping using LDAP with Active Directory  it has logging like Assigning user to role CN=readwrite,CN=Users,DC=novaDomain,DC=loca which I could not see...

             

            Plllease assist.. thanks.

             

             

             

            • 3. Re: Teiid login modue role issue on LDAP
              rareddy

              Sanjay,

               

              Another Link Chapter 12. Login Modules

               

              especially look at parseRoleNameFromDN property, I think you need that.

              • 4. Re: Teiid login modue role issue on LDAP
                sanjay_chaturvedi

                Hi Ramesh,

                 

                Thankfully, I am able to search for roles name lying under DN as CN. Now we can easily trace that a logged in user has a group assigned as a role.

                Config mentioned below worked well. Only issue remains is with exact group assignment.

                 

                As mentioned in last post, User is member of group "CN=MGB EI GBM" so logs are listing this entry but instead of assigning user a role of MGB EI GBM. It digs further and assign role of the group whose member is MGB EI GBM.

                So User A is member of group B and B is member of group C. C does not have any memberOf attribute, It only has member attributes. LDAP authorization is assigning user a role of C not B.

                 

                Note: I have not used recurseRole module option,(I tried with value 2,1,0(default-disabled) but everytime logs are showing line:

                Assign user kjenny role "C"

                I have tried ONELEVEL_SCOPE as well. I am using AdvanceLdapLoginModule, please suggest why it is gooing one level deeper.

                 

                <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

                                            <module-option name="java.naming.provider.url" value="ldap://host:port"/>

                                            <module-option name="java.naming.security.principal" value=" CN..OU..DC"/>

                                            <module-option name="java.naming.security.credentials" value="pass"/>

                <module-option name="rolesCtxDN" value="OU=Security,OU=Shared,OU=Services,DC=LOCAL "/>

                                        

                                            <module-option name="baseCtxDN" value="dc=local"/>

                                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                            <module-option name="roleFilter" value="(member={1})"/>

                                            <module-option name="roleAttributeID" value="memberOf"/>

                                            <module-option name="roleAttributeIsDN" value="true"/>

                                            <module-option name="roleNameAttributeID" value="cn"/>

                                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                            <module-option name="allowEmptyPasswords" value="false"/>

                                            <module-option name="searchTimeLimit" value="10000"/>

                 

                </login-module>

                .

                • 5. Re: Teiid login modue role issue on LDAP
                  rareddy

                  The only other option I can suggest is run through the DEBUG of the code and see what it is doing.

                  • 6. Re: Teiid login modue role issue on LDAP
                    craigcarpenter

                    In our AD Forrest our Security Groups are only associated with OU when they are needed by the department for Role Based Access....from our AD staff.

                     

                    In our scenario we will be dealing almost exclusively with a configuration for role based access groups....therefore the OU='Security' will be present -- not OU='Groups'. The parent (universal group?) will have OU=Groups

                     

                     

                    • 7. Re: Teiid login modue role issue on LDAP
                      sanjay_chaturvedi

                      TRACE level logs helped a lot in debugging and finally this property change done the job :

                       

                      <module-option name="roleAttributeID" value="distinguishedName"/>

                       

                      Thanks a lot for suggestions.

                      • 8. Re: Teiid login modue role issue on LDAP
                        rareddy

                        Great! Can you post your final LDAP configuration for future users as it seems everyone uses LDAP little differently?