You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Christian <cs...@talend.com> on 2016/07/11 15:53:10 UTC
Karaf 4.0.3 ACL group in group not working
Hi.
I want to use a hirachy of groups in the user/group configuration in
combination with LDAP login module and the group/role mapping. But a group
within a group is not working right now.
I have an LDAP user "test2" with the group "test2group". The group
"test2group" is part of the group "esb". In the karaf configuration the
group "esb" is mapped to the role "admin". When I login with the user
"test1", the user is not able to invoke the admin restricted commands.
Any Idea how to get this working?
I tried to reproduce this as small as possible with the file based user
configuration. I'm not sure it is 100% representive.
My user.properties looks like this:
User.properties:
karaf = karaf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles
_g_\:test2group = group,_g_:admingroup
test1 = test1,viewer
test2=test2,_g_:test2group
test3=test3
When I login with an admin role account I can see the group/role is
interpreted as I want.
karaf@trun()> realm-manage --realm karaf
karaf@trun()> jaas:user-list
User Name | Group | Role
--------------------------------------
karaf | admingroup | admin
karaf | admingroup | manager
karaf | admingroup | viewer
karaf | admingroup | systembundles
test1 | | viewer
test2 | test2group | admin
test2 | test2group | manager
test2 | test2group | viewer
test2 | test2group | systembundles
test3 | |
But if I try to invoke a command with only admin role privileges it is not
working:
For example:Command not found: feature:install
What do you think? Something misconfigured? Is group in group not supported?
Is it a bug?
With best regards
Christian
--
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Karaf 4.0.3 ACL group in group not working
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Thanks for the update Christian. Sorry, I wasn't able to get back to you
early (busy with a customer).
Good to know and thanks again for sharing.
Regards
JB
On 07/12/2016 05:23 PM, Christian wrote:
> Lookl like my property based login configuration is not really usable to
> reproduce my issue. I found a specific Active Directory Solution which fits
> to my requirements.
>
> I added a matching rule in the LDAP login module configuration. It looks
> like this:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
>
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
>
> <jaas:config name="karaf" rank="1">
> <jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connection.username=***
> connection.password=***
> connection.protocol=
> connection.url=ldap://***:389
> user.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
> user.filter=(sAMAccountName=%u)
> user.search.subtree=true
> role.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
> role.name.attribute=cn
> role.filter=(member:1.2.840.113556.1.4.1941:=%fqdn)
> role.search.subtree=true
> role.mapping =
> neastedGroupAdmin=admin;neastedGroupManager=manager;neastedGroupViewer=viewer
> </jaas:module>
> </jaas:config>
> </blueprint>
>
> The magic is done by the member filter with the ":1.2.840.113556.1.4.1941:".
> then it works with neasted groups.
>
> With best regards
> Christian
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197p4047206.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>
--
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Karaf 4.0.3 ACL group in group not working
Posted by Christian <cs...@talend.com>.
Lookl like my property based login configuration is not really usable to
reproduce my issue. I found a specific Active Directory Solution which fits
to my requirements.
I added a matching rule in the LDAP login module configuration. It looks
like this:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="karaf" rank="1">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=***
connection.password=***
connection.protocol=
connection.url=ldap://***:389
user.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
user.filter=(sAMAccountName=%u)
user.search.subtree=true
role.base.dn=OU=NeastedGroupsTest,DC=test,DC=***,DC=***
role.name.attribute=cn
role.filter=(member:1.2.840.113556.1.4.1941:=%fqdn)
role.search.subtree=true
role.mapping =
neastedGroupAdmin=admin;neastedGroupManager=manager;neastedGroupViewer=viewer
</jaas:module>
</jaas:config>
</blueprint>
The magic is done by the member filter with the ":1.2.840.113556.1.4.1941:".
then it works with neasted groups.
With best regards
Christian
--
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-4-0-3-ACL-group-in-group-not-working-tp4047197p4047206.html
Sent from the Karaf - User mailing list archive at Nabble.com.