1 Reply Latest reply on May 3, 2011 10:13 AM by Simeon Pinder

    Problem with LDAP authorization

    Boubakar Saim Haddache Newbie

      After configuring rhq for Open LDAP server in 'LDAP Configuration Properties' section on screen 'Administration->System Configuration->Settings', authentication works fine, but not authorization.

       

      I tried the ldap settings test application, et i get the same problem. When i go into the java source code of the test application, i figure out that the the program looks for the user's "DN" in the "group member filter", that's not our case, we've a flat ldap schema. All users are in the same ldap node, et the user reference ldap attribute contains the value of the user login (uid).

       

      When i replace the "group member filter" value with the full DN value, it works.

       

      Is it possible to tell to RHQ server's to look for user's name and don't look for the full DN ? Is this a limitation of the RHQ ?

       

      We don't have the problem with Nexus server who has an extra parameter (group member format) :

       

      • Group Member Attribute : memberUid
      • Group Member Format : ${username}

       

      With the DN format, Nexus use a format like this :  "uid=${username},ou=users,dc=sonatype,dc=com"

       

      The problem that it's difficult for us to change our LDAP schema, and we don't want to manage roles management manualy.

       

       

      Our configuration is "GroupMemberFilter : memberUid".

       

      Best regards

        • 1. Problem with LDAP authorization
          Simeon Pinder Newbie

          The RHQ ldap integration assumes that customers will use the concept of LDAP groups as the standard way of organizing and subdividing the set of all LDAP users in the system.  If I understand your post correctly, your company has a use case where there is no need for grouping of ldap users and you have a 'flat' ldap schema.  Two questions:

           

          i)Can you elaborate a little further on your specific use case?  We may need to create an enhancement request for this new functionality if the existing standard approaches are indeed insufficient.

           

          ii)I'm not extremely familiar with the Open LDAP server, but it should not be an ldap schema change to create ldap groups which bundle some or all of the existing ldap users.  Have you attempted this with the Open LDAP server?  This is the simplest solution to try if you have not already.