Configuring WAS Liberty LDAP authentication settings based on Tomcat configuration

Question

I have a similar question as this:

Worklight WAS Liberty profile configuration based on Tomcat configuration

@Kristof: Did you figure out how to do it?

I'm using openldap. So my ldapType is Custom. So my configuration is:

<ldapRegistry 
    baseDN="ou=people,dc=my-domain,dc=com" 
    ldapType="Custom"
    port="389" 
    host="MyServerHost" 
    id="myLdap"
    bindDN="" 
    bindPassword=""
    searchTimeout="300000m" 
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="(uid={0})"
        userIdMap="*:uid"
        groupFilter="(member={0})"
        groupIdMap="*:cn"/>         
</ldapRegistry>

What am I doing wrong? I tried using something like

<customFilters
    id="customFilters"
    userFilter="(&amp;(uid=%v)(objectClass=inetOrgPerson))"
    groupFilter="(&amp;(cn=%v)(|(objectclass=organizationalUnit)))"
    groupMemberIdMap="posixGroup:memberUid"/>

But that doesn't fix it either. The question is what does that all represent anyway? I have no clue what objectClass is... or where the value inetOrgPerson needs to come from. Moreover, there's no way to represent roleBase in the liberty configuration. I set baseDN to the userBase value.

Why do we need the properties like userIdMap and groupIdMap?

After reading a lot more, I updated the configuration to:

<ldapRegistry 
    baseDN="dc=my-domain,dc=com" 
    ldapType="Custom"
    port="389" 
    host="myLdapServerHost" 
    id="myLdap"
    bindDN="cn=admin,dc=my-domain,dc=com" 
    bindPassword="admin"
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="&amp;(ou=people)(uid=%v)(objectClass=inetOrgPerson)"
        groupFilter="&amp;(ou=groupsJ2EE)(cn=%v)(objectClass=groupOfNames)"/>
</ldapRegistry>

Still no luck.... any ideas of what could be wrong?

Answer 1

The filters need to be as below.

<customFilters
    id="customFilters"
    userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"
    groupFilter="&amp;(cn=%v)(objectClass=groupOfNames)"
    userIdMap="*:uid"
    groupMemberIdMap="groupOfNames:member"/>/>

That is assuming that the OpenLdap is configured to use the inetorgperson.schema (an extension schema provided as part of the standard openldap) by adding the line below in slapd.conf

include /usr/local/etc/openldap/schema/inetorgperson.schema

By default OpenLdap does not enable the inetorgperson.schema and in that case the userFilter will need to be something like

&(cn=%v)(objectClass=person) 

and userIdMap will be

 "*:cn"

Below is a sample ldif file from Open Ldap and a ldap configuration snippet

Ldif

dn: o=ibm,c=in
objectClass: organization
o: ibm

dn: ou=people,o=ibm,c=in
objectClass: organizationalUnit
description: All people in organisation
ou: people

dn: cn=Robert Smith,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9

dn: uid=testUser,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: testUserCN
sn: testUserSN
uid: testUser

dn: ou=groups,o=ibm,c=in
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: cn=testGroup1,ou=groups,o=ibm,c=in
objectClass: groupOfNames
objectClass: top
cn: testGroup1
member: uid=TESTUSER,ou=PEOPLE,o=IBM,c=IN

Config

<ldapRegistry 
    baseDN="o=ibm,c=in" 
    ldapType="Custom"
    port="389" 
    host="9.113.58.110" 
    id="myLdap"
    bindDN="cn=root,o=ibm,c=in" 
    bindPassword="root"
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"
        groupFilter="&amp;(cn=%v)(objectClass=groupOfNames)"
        userIdMap="*:uid"
        groupMemberIdMap="groupOfNames:member"/>/>
</ldapRegistry>