You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by Christian <cs...@talend.com> on 2016/07/11 15:53:10 UTC

Karaf 4.0.3 ACL group in group not working

Hi.

I want to use a hirachy of groups in the user/group configuration in
combination with LDAP login module and the group/role mapping. But a group
within a group is not working right now.

I have an LDAP user "test2" with the group "test2group". The group
"test2group" is part of the group "esb". In the karaf configuration the
group "esb" is mapped to the role "admin". When I login with the user
"test1", the user is not able to invoke the admin restricted commands. 

Any Idea how to get this working?

I tried to reproduce this as small as possible with the file based user
configuration. I'm not sure it is 100% representive.
My user.properties looks like this:
User.properties:
karaf = karaf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles
_g_\:test2group = group,_g_:admingroup
test1 = test1,viewer
test2=test2,_g_:test2group
test3=test3

When I login with an admin role account I can see the group/role is
interpreted as I want.
karaf@trun()> realm-manage --realm karaf
karaf@trun()> jaas:user-list
User Name | Group      | Role
--------------------------------------
karaf     | admingroup | admin
karaf     | admingroup | manager
karaf     | admingroup | viewer
karaf     | admingroup | systembundles
test1     |            | viewer
test2     | test2group | admin
test2     | test2group | manager
test2     | test2group | viewer
test2     | test2group | systembundles
test3     |            |

But if I try to invoke a command with only admin role privileges it is not
working:
For example:Command not found: feature:install

What do you think? Something misconfigured? Is group in group not supported?
Is it a bug?

With best regards
Christian



--
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197.html
Sent from the Karaf - User mailing list archive at Nabble.com.

Re: Karaf 4.0.3 ACL group in group not working

Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.

Thanks for the update Christian. Sorry, I wasn't able to get back to you 
early (busy with a customer).

Good to know and thanks again for sharing.

Regards
JB

On 07/12/2016 05:23 PM, Christian wrote:
> Lookl like my property based login configuration is not really usable to
> reproduce my issue. I found a specific Active Directory Solution which fits
> to my requirements.
>
> I added a matching rule in the LDAP login module configuration. It looks
> like this:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>             xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
>
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
>
> 	<jaas:config name="karaf" rank="1">
> 		<jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
>     initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>     connection.username=***
>     connection.password=***
>     connection.protocol=
>     connection.url=ldap://***:389
>     user.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
>     user.filter=(sAMAccountName=%u)
>     user.search.subtree=true
>     role.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
>     role.name.attribute=cn
>     role.filter=(member:1.2.840.113556.1.4.1941:=%fqdn)
>     role.search.subtree=true
>     role.mapping =
> neastedGroupAdmin=admin;neastedGroupManager=manager;neastedGroupViewer=viewer
> 		</jaas:module>
> 	</jaas:config>
> </blueprint>
>
> The magic is done by the member filter with the ":1.2.840.113556.1.4.1941:".
> then it works with neasted groups.
>
> With best regards
> Christian
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197p4047206.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>

-- 
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Re: Karaf 4.0.3 ACL group in group not working

Posted by Christian <cs...@talend.com>.

Lookl like my property based login configuration is not really usable to
reproduce my issue. I found a specific Active Directory Solution which fits
to my requirements. 

I added a matching rule in the LDAP login module configuration. It looks
like this:

<?xml version="1.0" encoding="UTF-8"?> 
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
          
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">

	<jaas:config name="karaf" rank="1">
		<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
   initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
   connection.username=***
   connection.password=***
   connection.protocol=
   connection.url=ldap://***:389
   user.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
   user.filter=(sAMAccountName=%u)
   user.search.subtree=true
   role.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
   role.name.attribute=cn
   role.filter=(member:1.2.840.113556.1.4.1941:=%fqdn)
   role.search.subtree=true
   role.mapping = 
neastedGroupAdmin=admin;neastedGroupManager=manager;neastedGroupViewer=viewer
		</jaas:module>
	</jaas:config>
</blueprint>

The magic is done by the member filter with the ":1.2.840.113556.1.4.1941:".
then it works with neasted groups.

With best regards
Christian



--
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197p4047206.html
Sent from the Karaf - User mailing list archive at Nabble.com.