0 Replies Latest reply on Jan 21, 2015 2:36 PM by psesi

    Is it possible to load roles for ManagementRealm from an LDAP security domain?

    psesi Newbie

      Hello,

       

      I am trying to set up Wildfly8.2 to use LDAP for authentication and authorization for the management console. I am able to get authorization working using an LDAP Security domain (see below). However, I can’t quite figure out how to set up associated authorization to allow the user roles read by that security domain be “realized” by the authorization portion of the ManagementRealm. I can get things partially working, by using a combination of LDAP for authentication  and the “<properties>” setup for authorization – where I have to add an entry for the user(s) and explicitly define the group (role) that I want to map to the Management Application roles. This is a workaround, but ideally, I want to use the roles as defined in our LDAP domain (e.g., "Web Admin" in example below) and directly map them in the "<access-control>" section of the config.

       

      Note that I use “<jaas>” option in <authentication> to reference the security domain I have defined. One advantage to this (over setting up as “<ldap>”) is that the user provided credentials will be used to bind to ldap – I don’t have to set up a separate “user” and expose those credentials in standalone.xml (<connection>). Unfortunately, <jaas> is not allowed under the <authorization> element as far as I can tell.

       

      So, ideally, I’d like to have the users groups (roles) read/mapped by the security domain on authentication – and not have to set up a separate “ldap/connection” (which is what I've seen in other discussion, etc.) or use a "hard-coded" properties file for that. Is there any way to do that for the ManagementRealm?

       

      Here are the relevant parts of my standalone.xml showing my current “workaround” setup:


      ….
      <management>
       <security-realms>
       <security-realm name="ManagementRealm">
       <authentication>
       <local default-user="$local" skip-group-loading="true"/>
       <jaas name="ldap-authn"/>
       </authentication>
       <authorization map-groups-to-roles="false">
       <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
       </authorization>
       </security-realm>
       ….
       </security-realms>
       ….
       <access-control provider="rbac">
       <role-mapping>
       <role name="SuperUser">
       <include>
       <user name="$local"/>
       <group name="Web Admin" realm="ManagementRealm"/>
       </include>
       </role>
       </role-mapping>
       </access-control>
      </management>
      ….
      <subsystem xmlns="urn:jboss:domain:security:1.2">
       <security-domains>
       ….
       <security-domain cache-type="default" name="ldap-authn">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="password-stacking" value="useFirstPass"/>
       <module-option name="java.naming.provider.url" value="ldaps://ldapsrvr.mydom.com:636"/>
       <module-option name="java.naming.security.protocol" value="ssl"/>
       <module-option name="matchOnUserDN" value="false"/>
       <module-option name="principalDNPrefix" value=""/>
       <module-option name="principalDNSuffix" value="@mydom.com"/>
       <module-option name="uidAttributeID" value="sAMAccountName"/>
       <module-option name="rolesCtxDN" value="OU=USERS,DC=mydom,DC=com"/>
       <module-option name="roleAttributeIsDN" value="true"/>
       <module-option name="roleAttributeID" value="memberOf"/>
       <module-option name="roleNameAttributeID" value="name"/>
       <module-option name="java.naming.security.authentication" value="simple"/>
       <module-option name="allowEmptyPasswords" value="false"/>
       </login-module>
       </authentication>
       </security-domain>
       </security-domains>
      </subsystem>
      …
      

       

      Thanks in advance -

      Paul