Previous topic  Top  Next topic  Print this Topic
 

Mapping Groups and Roles from External Realms like LDAP

 

If users and groups are managed externally, e.g. on an LDAP system, you often want to use the existing groups and attach permissions to them. This can be done in two steps. First of all, you write a rule which maps an external role of another realm to a role of the security module. Secondly you define permissions for the role. Currently we only support ActiveDirectory out-of-the-box, other LDAP systems need some project effort (a few hours to a few days) to adapt for the concrete LDAP schema. Let's assume your security configuration uses ActiveDirectory in the following way:

<source lang="xml"> <?xml version="1.0" encoding="UTF-8"?> <beans>  

<bean id="OntoBrokerSecurityManagerConfig" class="com.ontoprise.security.OntoBrokerSecurityManagerConfig">

    <property name="realms">

        <list>

          <ref local="ActiveDirectory"/>

          <ref local="PropertiesRealm"/>

          <ref local="SecurityModuleRealm"/>

        </list>

    </property>

    <property name="authenticationStrategy">

        <bean class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy"/>

    </property>

 

</bean>

 

<bean id="SecurityModuleRealm" class="com.ontoprise.security.realm.

 SecurityModuleAuthorizationRealm">

</bean>

<bean id="ActiveDirectory" class="org.apache.shiro.realm.

 activedirectory.ActiveDirectoryRealm">

 <property name="ldapContextFactory">

  <bean class="org.apache.shiro.realm.ldap.DefaultLdapContextFactory">

 <property name="searchBase">

  <value>dc=ads,dc=yourcompany,dc=com</value>

 </property>

 <property name="systemUsername">

         <value>admin</value>

 </property>

 <property name="systemPassword">

         <value>pass</value>

 </property>

 <property name="principalSuffix">

         <value>@ads.yourcompany.com</value>

 </property>

 <property name="url"><value>ldap://ads1.yourcompany.com:389/</value>

 </property>

</bean>

 </property>

 <property name="searchBase">

         <value>DC=ads,DC=yourcompany,DC=com</value>

 </property>

 <property name="principalSuffix">

         <value>@ads.yourcompany.com</value>

 </property>

 <property name="groupRolesMap">

 <map>

  <entry key="CN=group1,OU=Karlsruhe,DC=ads,DC=yourcompany,DC=com" value="role1"/>

  <entry key="CN=group2,OU=Karlsruhe,DC=ads,DC=yourcompany,DC=com" value="role2"/>

 </map>

 </property>

</bean>

<bean id="PropertiesRealm" class="com.ontoprise.security.realm.PropertiesRealm">

 <property name="resourcePath">

         <value>conf/security.properties</value>

 </property>

</bean>

</beans>

</source>

In this example configuration for the userPrincipalName the memberOf attribute is looked up and group memberships in the "groupRolesMap" are mapped to role names (here "role1" and "role2"). To use these ActiveDirectory (AD) groups in the realm SecurityModuleRealm you write rules to map a group to one or more roles of the SecurityModuleRealm. In the following example the AD role "role1" is mapped to the SecurityModule roles #m1all and #m3read. For this purpose the builtins _hasRole/1 and _currentUser/1 are used. The builtin _hasForeignRole is true, if the user has a role with the given name in any of the configured realms. The builtin _currentUser/1 returns the user in the given query/session context.

- module = '$security'.

- prefix = "http://ontoprise.de/security#".

- import = '$security-core'.

... // similar as above

// if current user U has the role "Administrator" (role name of any configured realm) // then the user should be assigned to the internal roles #m1all and #m3read ?- U U:#User[hasRole->{m1all,m3read}] <- _currentUser(U) and _hasForeignRole(role1).

In OntoBroker the _hasRole/1 Builtin has been renamed to _hasForeignRole/1 and it only applies to external roles, e.g. roles defined in ObjectLogic are not considered.

// ObjectLogic

- module = $security.

- importmodule '$security-core'.

... // similar as above

// if current user U has the role "Administrator" (role name of any configured realm)

// then the user should be assigned to the internal roles #m1all and

#m3read ?U:User[hasRole->{m1all,m3read}] :- _currentUser(?U) and _hasForeignRole(role1).