11 Replies Latest reply on Feb 4, 2011 5:25 AM by Marek Posolda

    Map LDAP groups to security roles in Gatein

    Marek Waja Newbie

      Hi, I have problems, some questions:

       

      We have existing LDAP structure and we want use it.

       

      I used Pickedlink example file to map LDAP groups to gatein portal groups.

      I mapped into /platform/* parent group in gatein.

       

      Question: How can I map only one group??

      Our LDAP:

      +Groups

                        -group1

                        -group2

                       -…        

       

       

      Question:  How are mapped memberships???

       

      We need to use function request.isUserInRole() in ourportlets and servlets. This requires for each portlet in where we use JEEsecurity roles add roles into portlet.xml (<security-role-ref>). In thiscase role equals groups in portal groups.

      It works, but no for servlets.

       

      Question: Does gatein map portal groups to securitygroup? Where is it defined?

       

      Question: Where can I map LDAP groups into securityroles?

       

      Question: Where can I define more roles (roles mappedto groups from LDAP) into one role?

       

      Thank you very much for help...

        • 1. Map LDAP groups to security roles in Gatein
          Marek Posolda Apprentice

          Hello,

           

          There is special component "RolesExtractor" for mapping portal groups into security groups. Default implementation of this component is class org.exoplatform.services.security.impl.DefaultRolesExtractorImpl

          and most important part is in method "extractRoles" in this piece of code:

           

                for (MembershipEntry membership : memberships)

                {

                   String[] splittedGroupName = StringUtils.split(membership.getGroup(), "/");

           

                   if (userRoleParentGroup != null && splittedGroupName[0].equals(userRoleParentGroup)

                      && splittedGroupName.length > 1)

                   {

                      roles.add(splittedGroupName[splittedGroupName.length - 1]);

                   }

                   else

                   {

                      roles.add(splittedGroupName[0]);

                   }

                }

           

          Variable "userRoleParentGroup" is read from configuration and default value is "platform" . So from all subgroups of "platform" the last one will be used as security group and the first will be used for rest.

           

          For example: your user is in portal groups "/platform/users" , "/platform/administrators" , "/platform/users/employees" , "/partners" . Then after process RolesExtractor algorithm , your user will be in j2ee security groups: "users", "administrators", "employees", "partners" .

           

          Actually role "users" is needed if you don't want to have "403 Forbidden" error when you are trying private URL (this is defined as standard web authentication in $JBOSS_HOME/server/default/deploy/gatein.ear/02portal.war/WEB-INF/web.xml .

           

          Hope this helps,

          Marek

          1 of 1 people found this helpful
          • 2. Map LDAP groups to security roles in Gatein
            Marek Waja Newbie

            thx very much I will try something.

            Díky

            • 3. Re: Map LDAP groups to security roles in Gatein
              Marek Waja Newbie

              OK,

              Now I have portal groups mapped from LDAP via picketlink in readOnly mode

               

              platform/user

              .....

              my groups from LDAP

               

              /group1/group2/group3

              /group1/group2/group4

               

              -group1

                   +group2

                        +group3

                        +group4

               

               

              I need login only users from LDAP

               

              I override extractRoles function so that users in group3 have security roles:   group2,group3, for users from group4 to sec. roles: group2,group4

               

              this is OK, this is what I want, but

               

              Now I need show UIToolbarContainer only for users in role group2 (include group3 anf group4 ) (default is for /platform/users), how can I do that?

               

              In sharedlayout.xml I put:

              <access-permissions>*:/group1/group2</access-permissions>

              but is not working

               

              when I put:

              <access-permissions>*:/group1/group2/group3</access-permissions>

               

              toolbar is showed but only for users in role group3

               

              but on toolbar is only site and group links and missing items (application registry, organization, ect, I need it). When I click on group link I get only: You dont have permission, in attached picture

               

              thx

              • 4. Re: Map LDAP groups to security roles in Gatein
                Marek Posolda Apprentice

                Interesting, I think that these access permissions should work in sharedlayout.xml . Maybe you can try to delete database and check again (If you are using HSQLDB, then you need only delete directory $JBOSS_HOME/server/default/data to delete database).

                 

                Another approach can be to tweak user roles according to your needs. For example, there is login module class CustomMembershipLoginModule, which can be added to login modules chain. This login module can be used to add all users into predefined group (for example into /platform/users) after successful login of user. More info is here https://issues.jboss.org/browse/GTNPORTAL-1347 .

                 

                So you can use this login module if you want to add all users. If you want to add only some users to /platform/users (For example only users from your group2 or subgroups) you can try to create your own login module implementation according to your needs and you can use CustomMembershipLoginModule for inspiration.

                 

                Hope this helps,

                Marek

                • 5. Re: Map LDAP groups to security roles in Gatein
                  Marek Waja Newbie

                  Thx for reply,

                  but I dont want to use platform group and other gatein portal's groups. I want use only mapped groups from LDAP

                  Marek

                  • 6. Re: Map LDAP groups to security roles in Gatein
                    Marek Waja Newbie

                    Top toolbar is showed only for users in role:role_portal-admin (set in sharedlayout.xml)

                     

                    But on toolbar missing links to:

                     

                    1, Administrator’s pages, Executive Board Pages, Users pages

                    2, Site editor – Add new page, Edit page, Edit Layout.

                     

                    How can I set it?

                    • 7. Re: Map LDAP groups to security roles in Gatein
                      Marek Posolda Apprentice

                      Ad 1 - Each group has it's navigation and so you can create navigation for your groups. Administrator's pages are visible only for members of group /platform/administrators and Executive board's pages for members of /organization/magement/executiveboard and user's pages for members of the grou /platform/users. It seems that your users are not in these groups and they are in custom groups like /group1/group2 etc. So you will need to create navigation for these groups and you can add pages according to your needs. You can do it easily through UI ( http://localhost:8080/portal/private/classic/groupnavigation ).

                       

                      You will probably need to tweak permissions of pages as well. For example appliationRegistry page or PageManagement page are visible only for /platform/administrators by default. This is also doable from UI, you can login as root user and change permissions of pages on PageManagement page.

                       

                      Ad 2 - Site editor - You can't see it due to the code in class org.exoplatform.toolbar.webui.component.UIAdminToolbarPortlet :

                       

                            if (hasEditPermissionOnNavigation() || hasEditPermissionOnPage() || hasEditPermissionOnPortal())

                            {

                               super.processRender(app, context);

                            }

                       

                      So if your user does not have permission to edit page or edit portal, the AdminToolbar link is not shown . So you will need again to change permission of pages and change permission of portal. This is initially doable by root user. When users from your group /group1/group2 will have permission to edit poarticular portal or page, the links will be shown on toolbar.

                       

                      Good luck,

                      Marek

                      1 of 1 people found this helpful
                      • 8. Re: Map LDAP groups to security roles in Gatein
                        Marek Waja Newbie

                        Hi,

                        thx

                         

                        Now, Site editor - Add new page, edit layout, edit page

                         

                        But not show links from section Group. Where Can I setup it?

                         

                        Thank you

                        • 9. Map LDAP groups to security roles in Gatein
                          Marek Posolda Apprentice

                          Hi Marek,

                           

                          Did you try to create Group navigations for your custom groups ( /group1/group2 etc. ) ? You can do it for example through UI by these steps:

                          - Login as root

                          - Go to http://localhost:8080/portal/private/classic/groupnavigation

                          - Click to "Add navigation" and select your group.

                          - Add navigation nodes to your navigation. These nodes can point to pages with administration portlets (like Application registry, Page management, Organization management, ... ) or you can create your own pages and add administration portlets to these pages.

                           

                          After logout and login of user from group /group1/group2 you should be able to see group navigation for your group.

                          • 10. Re: Map LDAP groups to security roles in Gatein
                            Marek Waja Newbie

                            Thx, but I can not use UI. I have to use configuration files.

                            • 11. Map LDAP groups to security roles in Gatein
                              Marek Posolda Apprentice

                              So you can add your groups into server/default/deploy/gatein.ear/02portal.war/WEB-INF/conf/portal/portal-cofniguration.xml (Parameter group.configuration ) and create pages.xml and navigations.xml for your groups inside directory structure in server/default/deploy/gatein.ear/02portal.war/WEB-INF/conf/portal/group .

                               

                              You can use existing group navigation configuration for inspiration and some documentation is here http://docs.jboss.com/gatein/portal/3.1.0-FINAL/reference-guide/en-US/html/chap-Reference_Guide-Development.html#sect-Reference_Guide-Portal_Navigation_Configuration-Group_Navigation .

                               

                              Don't forget to delete your DB and restart portal after doing some changes in configuration files if you want to see them.

                               

                              Hope this helps,

                              Marek