1 Reply Latest reply on Sep 28, 2018 9:09 AM by Kkk Kkk

    LDAP user READ permission error

    Kkk Kkk Newbie

      Hi,

       

      We are using clustered mode for Infinispan (version 9.1.3). Using the following LDAP settings, the bind account (svcInfAuthLDAP) is correct and can authenticate. We are having an error when the user tries to access Infinispan (eg. svcOCPtoISPN). We are using openshift pods to access it. We validated LDAP searches successfully and I think it's down to a permission mapper error now. Any help would be appreciated! See domain and host-master files below:

       

      Domain.xml

                          <security>

                              <authorization>

                                  <identity-role-mapper/>

                                  <role name="sgISPNAppAccess" permissions="ALL EXEC"/>

                                  <!-- <role name="Developers" permissions="ALL EXEC"/>

                                  <role name="Business" permissions="ALL EXEC"/>

                                  <role name="Managers" permissions="ALL EXEC"/>

                                  <role name="clustered" permissions="ALL EXEC"/> -->

                              </authorization>

                          </security>

       

      sample cache (in domain.xml):

                          <distributed-cache name="surrogate" mode="ASYNC" segments="20" owners="3" remote-timeout="30000" start="EAGER">

                              <locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>

                              <transaction mode="NONE"/>

                              <security>

                                  <authorization roles="sgISPNAppAccess"/>

                              </security>

                              <expiration lifespan="7200000"/>

                          </distributed-cache>

       

       

      host-master.xml:

                  <security-realm name="LDAPSManagementRealm">

                      <authentication>

                          <ldap connection="ldap_connection" recursive="true" base-dn="DC=digital,DC=com">

                              <username-filter attribute="sAMAccountName" />

                          </ldap>

                          <truststore  path="***" relative-to="jboss.domain.config.dir" keystore-password='******' />

                      </authentication>

                      <authorization>

                          <ldap connection="ldap_connection">

                              <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">

                                  <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=pcfSecurityGroups,DC=digital,DC=com">

                                      <membership-filter principal-attribute="member"/>

                                  </group-to-principal>

                              </group-search>

                          </ldap>

       

      ...

       

              <outbound-connections>

                  <ldap name="ldap_connection" url="ldaps://p2ldap1.digi.pcf:636" search-dn="CN=svcInfAuthLDAP,OU=ServiceAccounts,DC=digital,DC=com" search-credential='${VAULT::ISPN::LDAP_CRED::1}' security-realm="LDAPSManagementRealm" />

              </outbound-connections>

        • 1. Re: LDAP user READ permission error
          Kkk Kkk Newbie

          Just as a follow-up: The solution was found, and that is that the slaves (not only the master) servers had to be configured with the correct LDAP group under 'group-to-principal', since the openshift pods are connecting to the slaves.

           

          <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=pcfSecurityGroups,DC=digital,DC=com">