Release Automation

Expand all | Collapse all

permission for ldap users/groups

  • 1.  permission for ldap users/groups

    Posted Mar 01, 2016 10:37 PM

    Hi,

    We are running CA-RA 5.5.2.19 on Linux.

    We have setup the authentication via ldap group which is working fine. ldap users can log into the system with no issue.

    I then created user by importing user from ldap. I gave the appropriate permission to the ldap user but it does not seem to work. In ASAP this ldap user kept getting the error "You have no permission to current application". In ROC, this user can not access anything at all.

     

    I did import the ldap group which this user is a member of and has given all the appropriate permission. I did try to give the superuser role to this ldap group and/or ldap user and nothing works.

     

    I did the same permission to a new local user and it works fine. So I know definitely this must be the ldap integration which cause the issue.

     

    Just wondering if anyone has successfully have this working at all. Any comments or feedback would be appreciated.

     

    Sindy



  • 2.  Re: permission for ldap users/groups

    Posted Mar 02, 2016 02:59 PM

    Hi Sindy,

     

    Open the user that you imported and edit the field LDAP Security context adding "@yourcompany.local".

    Regards,

    Francis



  • 3.  Re: permission for ldap users/groups

    Posted Mar 02, 2016 05:50 PM

    Thank You Francis.

     

    I've tried and it's still not working.. I think we need to revisit the ldap integration setting as I just found out that in fact any ldap users can login while we try to set it up to allow access to only the members of a specific ldap group.

     

    Do you think this could have contributed to the authorisation issue we have?



  • 4.  Re: permission for ldap users/groups

    Posted Mar 03, 2016 01:31 AM

    When you configured your LDAP integration in distributed.properties you basically allow any user from your LDAP system with valid password to authenticate and login to RA system so the fact any LDAP user can login is the expected result.

    After the user authenticate its should be given the permission based on the imported group membership or personal permission you you set for the user - and you have issue in this phase.

    Can you please provide screenshots from your system with the users/group settings , content of your distributed.properties etc...

    Thanks

    Jacky 



  • 5.  Re: permission for ldap users/groups

    Posted Mar 06, 2016 05:21 PM

    Jacky,

    We updated Distributed.properties and applicationContext-acegi-security.xml hoping that only user in GESB-CARA-Users can login. Then the permission for the local groups or imported ldap user will determine what the user can do in ROC and ASAP.

     

    Distributed.properties

    applicationContext-acegi-security.xml

     

    Below is the user imported from ldap



  • 6.  Re: permission for ldap users/groups

    Posted Mar 03, 2016 07:42 AM

    Sindy,

     

    You could change the log configuration to get more info.

    Edit the file:

    <install_dir>/webapps/datamagement/WEB-INF/log4j.properties

     

    FROM:

    log4j.logger.com.nolio.platform.server.dataservices.services.auth.providers.NolioActiveDirectoryAuthenticationProvider=WARN

    #log4j.logger.org.springframework.security=DEBUG, Spring

     

    TO:

    log4j.logger.com.nolio.platform.server.dataservices.services.auth.providers.NolioActiveDirectoryAuthenticationProvider=ALL

    log4j.logger.org.springframework.security=ALL

     

    Restart the service:

    ./nolio_server.sh restart

     

    Open ROC and try to authenticate with a valid LDAP user again.

    Verify the logs at:

    <install_dir>/logs/nolio_dm_all

     

    Regards,

    Francis



  • 7.  Re: permission for ldap users/groups

    Posted Mar 06, 2016 05:22 PM

    Thank You..



  • 8.  Re: permission for ldap users/groups

    Posted Mar 07, 2016 04:01 AM

    Just to make sure I understand correctly

     

    "hoping that only user in GESB-CARA-Users can login. "

    Why you import LDAP users if you want to manage the permission and the authorization only for GESB-CARA-Users group members?

    "Then the permission for the local groups or imported ldap user will determine what the user can do in ROC and ASAP."

    When you say local groups you referring to local groups you created in RA or LDAP groups you imported?

     

    In general its better to not mix between import users and groups (Work only with imported groups or imported users

     

    In the applicationContext-acegi-security.xml the groupSearchFilter is wrong , try to leave it with the default value

     

    <b:property name="groupSearchFilter" value="(|(uniqueMember={0})(member={0}))" />

     

    Can you specify the dn for GESB-CARA-Users group?

    Jacky



  • 9.  Re: permission for ldap users/groups

    Posted Mar 07, 2016 04:57 PM

    Jacky,

     

    We only intend to use GESB-CARA-Users for authentication ie. allow all of the members to login to CA. Anyone else not in this group should not be able to login.

    If we have 100 members in GESB-CARA-Users ldap group we may want 5 of them to have access to ROC, 10 may be allowed to only access application A and 20 should only allowed to have access to application B, etc.

     

    so I created various local groups in RA with the appropriate permission. I then imported the users from ldap and place them into the appropriate groups I created in CA. But when testing it out it's not working.

     

    I understand the other way is to create various ldap groups for different user roles then imported the ldap group into RA. Permission is then granted on these imported ldap group.

     

    Will try changing the groupSearchFilter.



  • 10.  Re: permission for ldap users/groups

    Posted Mar 08, 2016 09:00 AM

    Currently I don't think there is a way to lock the authentication capabilities based on specific group members , however you still can achieve it in different ways

    Below is an example for quick test that I done.

    I configured open LDAP system to allow user's login only for the users which have specific attribute , in my case I choose roleOccupant and set the value cn=ra

     

     

    next I created a group (or groups) that will be use for authorization (give permissions inside CA RA) , group members must have the attribute set as well , if not they will not be able to login.

    In CA RA applicationContext-acegi-security.xml configuration file I set the following 

     

    You need to update distribution.properties according to what you already done before

    You need to restart RA server service and than import the LDAP group and set permissions

     

    I hope this help

    Thanks

    Jacky



  • 11.  Re: permission for ldap users/groups

    Posted Mar 07, 2016 05:30 AM

    BTW

    There is no need to restart nolio server  service when updating the  log4j.properties file  - the new settings will be updated automatically in few minutes

     

    Thanks

    Jacky 



  • 12.  Re: permission for ldap users/groups

    Broadcom Employee
    Posted Mar 17, 2016 05:39 PM

    Hi Sindy -- Did the feedback provided help you with your question?



  • 13.  Re: permission for ldap users/groups

    Posted Oct 13, 2016 11:58 AM

    Hi Sindy, everyone,

     

    I exactly have the same problem...... did you find a solution?

     

    Thanks

    Best Regards



  • 14.  Re: permission for ldap users/groups

    Posted Oct 16, 2016 05:55 PM

    Hi,

     

    The solution suggested by Jacky partially worked for us. I was not able to implement what suggested by Jacky fully due to our security policy.

     

    We later on change to authenticate with Active Directory rather than ldap which works for us straight away. Did not experience issues similar to the ldap at all.

     

     

    Kind Regards,

    Sindy Sae-Lee

     

          • IMPORTANT INFORMATION *****

    This document should be read only by those persons to whom it is addressed and its content is not intended for use by any other persons. If you have received this message in error, please notify us immediately. Please also destroy and delete the message from your computer. Any unauthorised form of reproduction of this message is strictly prohibited.

     

    St.George Bank - A Division of Westpac Banking Corporation AFSL 233714, Advance Asset Management Limited AFSL 240902, St George Life Limited AFSL 240900, ASGARD Capital Management Limited AFSL 240695 and Securitor Financial Group Limited AFSL 240687 is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt.