You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by metatech <me...@gmail.com> on 2011/11/03 15:38:04 UTC
Does Karaf support hierarchical LDAP roles ?
Hi,
I am trying to setup BASIC authentication on camel-jetty routes with a LDAP
user.
I defined the realm in my blueprint.xml to use Karaf's LDAPLoginModule (see
below) and I think there is a limitation with the "%u" placeholder. If
users are not hierarchically structured, I can configure twice the user
suffix ("ou=Users,dc=mycompany,dc=com" in my example), both in the
"user.base.dn", and in the "role.filter".
This works fine.
However, if users are hierarchically structured, the "%u" only contains the
login and not the sub-branch ("SUBBRANCH" in my example).
Is there any reason why the "%u" is not containing the full DN instead of
the login name ?
Thanks in advance,
metatech
<jaas:config name="LDAPRealm">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
connection.url = ldap://ldap-acc.mycompany.com:389
user.base.dn = ou=Users,dc=mycompany,dc=com
user.filter = (uid=%u)
user.search.subtree = true
role.base.dn = ou=UsersGroups,dc=mycompany,dc=com
role.filter =
(uniqueMember=uid=%u,ou=SUBBRANCH,ou=Users,dc=mycompany,dc=com)
role.name.attribute = cn
role.search.subtree = true
authentication = simple
</jaas:module>
</jaas:config>
--
View this message in context: http://karaf.922171.n3.nabble.com/Does-Karaf-support-hierarchical-LDAP-roles-tp3477321p3477321.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Does Karaf support hierarchical LDAP roles ?
Posted by metatech <me...@gmail.com>.
Jean-Baptiste Onofré wrote:
>
> with subtree=true, you don't need the FQN.
> JB
>
Hi JB,
Thanks for your fast reply.
Actually, I had already "subtree" set to true for both users and roles.
But adding a wildcard in the LDAP filter did make it work :
role.filter = (uniqueMember=uid=%u,*,ou=Users,dc=mycompany,dc=com)
Thanks again,
metatech
--
View this message in context: http://karaf.922171.n3.nabble.com/Does-Karaf-support-hierarchical-LDAP-roles-tp3477321p3487444.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Does Karaf support hierarchical LDAP roles ?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
with subtree=true, you don't need the FQN.
For instance, if you define ou=role,dc=test,dc=org as baseDN, and
uid=%u
the LDAP search will cover:
uid=%u,ou=role,dc=test,dc=org
uid=%u,ou=other,ou=role,dc=test,dc=org
etc
subtree mean descending in the children.
So you may not use a FQN.
Did you try ?
Regards
JB
On 11/03/2011 03:38 PM, metatech wrote:
> Hi,
>
> I am trying to setup BASIC authentication on camel-jetty routes with a LDAP
> user.
> I defined the realm in my blueprint.xml to use Karaf's LDAPLoginModule (see
> below) and I think there is a limitation with the "%u" placeholder. If
> users are not hierarchically structured, I can configure twice the user
> suffix ("ou=Users,dc=mycompany,dc=com" in my example), both in the
> "user.base.dn", and in the "role.filter".
> This works fine.
>
> However, if users are hierarchically structured, the "%u" only contains the
> login and not the sub-branch ("SUBBRANCH" in my example).
>
> Is there any reason why the "%u" is not containing the full DN instead of
> the login name ?
>
> Thanks in advance,
>
> metatech
>
> <jaas:config name="LDAPRealm">
> <jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
> connection.url = ldap://ldap-acc.mycompany.com:389
> user.base.dn = ou=Users,dc=mycompany,dc=com
> user.filter = (uid=%u)
> user.search.subtree = true
> role.base.dn = ou=UsersGroups,dc=mycompany,dc=com
> role.filter =
> (uniqueMember=uid=%u,ou=SUBBRANCH,ou=Users,dc=mycompany,dc=com)
> role.name.attribute = cn
> role.search.subtree = true
> authentication = simple
> </jaas:module>
> </jaas:config>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Does-Karaf-support-hierarchical-LDAP-roles-tp3477321p3477321.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com