3 Replies Latest reply on Jun 15, 2017 2:43 PM by Ramesh Reddy

    Ldap based login in Teiid VDB

    Sanjay Chaturvedi Novice

      From teiid documentation it is clear that apart from text based login module(teiid-security-user.properties) file there isalso an option to use ldap based login.

      I have a user say pqr under domain xyz, so the user is xyz+pqr or xyz\pqr, which is a Microsoft Active Directory user,. Ldap server ldap://host:389 is integrated with MS AD.

      Could someone please assist me how to configure this thing in standalone.xml, I dont want to store user/password in teiid-security-users.properties file.

      I tried

       

       

      Add following security domain under <security-domains>:

       

       

                      <security-domain name="teiid-security" cache-type="default">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://host:389/"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="principalDNPrefix" value="uid="/>

                                  <module-option name="principalDNSuffix" value=",ou=People,dc=jboss,dc=org"/>

                                  <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>

                                  <module-option name="uidAttributeID" value="member"/>

                                  <module-option name="matchOnUserDN" value="true"/>

                                  <module-option name="roleAttributeID" value="cn"/>

                                  <module-option name="roleAttributeIsDN" value="false"/>

                                  <module-option name="searchTimeLimit" value="5000"/>

                                  <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

       

       

       

      And comment out following lines :

       

       

      <security-domain name="teiid-security" cache-type="default">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

                              </login-module>

                          </authentication>

                      </security-domain>

      Nothing explicit I added apart from java.naming.provider.url in the conf, I am not sure if rest of the attributes are making any sense, here, Please assist.

       

      Thanks,

      Sanjay

        • 1. Re: Ldap based login in Teiid VDB
          Ramesh Reddy Master

          Sanjay,

           

          Basically what you have is what you need, there is may be additional properties based on your setup of LDAP/AD. I am not how we can help with this, you need to consult your IT department for LDAP access urls, and properties like principalDNSuffix etc. There is more information about LDAP here too How to Configure Identity Management - Red Hat Customer Portal

           

          Look for any other articles about WildFly and LDAP as this feature is WildFly feature and not specific to Teiid.

           

          Ramesh..

          • 2. Re: Ldap based login in Teiid VDB
            Sanjay Chaturvedi Novice

            Thanks Ramesh, It worked with minimal configuration :

             

            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">

                                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                        <module-option name="java.naming.provider.url" value="ldap://domain:389/"/>

                                        <module-option name="java.naming.security.authentication" value="simple"/>

                                    </login-module>

             

            So, lap credentials are working for login. But for authorization, I need to map it with few groups of active directory. Got only information from the client that GROUPNAME is "BTL EI" group. So I added another configuration as follows:

             

            <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/role-mapping.properties"/>

                                        <module-option name="replaceRole" value="true"/>

                                    </login-module>

             

            where in role-mapping file, I added role mapping like :

            BTL EI=TEST ROLE

             

            This TEST ROLE is included in VDB. Stilll it is not working, User is able to login but not to  query. Articles are helping in terms of role name defined in active directory not with the group name.

            Do we need to include some more configuration to allow AD group users ?

            Or should we ask some attribute's value as a part of requirement and then configure it, we dont have access to AD, so need to ask specific piece of information.

             

             

            Thanks.

            • 3. Re: Ldap based login in Teiid VDB
              Ramesh Reddy Master

              Yes, I believe some role based properties are needed. All the properties are defined in above links. I am not certain which ones exactly.