Configuring WAS Liberty LDAP authentication settings based on Tomcat configuration
-
21-12-2019 - |
Question
I have a similar question as this:
Worklight WAS Liberty profile configuration based on Tomcat configuration
@Kristof: Did you figure out how to do it?
I'm using openldap. So my ldapType is Custom. So my configuration is:
<ldapRegistry
baseDN="ou=people,dc=my-domain,dc=com"
ldapType="Custom"
port="389"
host="MyServerHost"
id="myLdap"
bindDN=""
bindPassword=""
searchTimeout="300000m"
recursiveSearch="true">
<customFilters
id="customFilters"
userFilter="(uid={0})"
userIdMap="*:uid"
groupFilter="(member={0})"
groupIdMap="*:cn"/>
</ldapRegistry>
What am I doing wrong? I tried using something like
<customFilters
id="customFilters"
userFilter="(&(uid=%v)(objectClass=inetOrgPerson))"
groupFilter="(&(cn=%v)(|(objectclass=organizationalUnit)))"
groupMemberIdMap="posixGroup:memberUid"/>
But that doesn't fix it either. The question is what does that all represent anyway? I have no clue what objectClass is... or where the value inetOrgPerson needs to come from. Moreover, there's no way to represent roleBase in the liberty configuration. I set baseDN to the userBase value.
Why do we need the properties like userIdMap and groupIdMap?
After reading a lot more, I updated the configuration to:
<ldapRegistry
baseDN="dc=my-domain,dc=com"
ldapType="Custom"
port="389"
host="myLdapServerHost"
id="myLdap"
bindDN="cn=admin,dc=my-domain,dc=com"
bindPassword="admin"
recursiveSearch="true">
<customFilters
id="customFilters"
userFilter="&(ou=people)(uid=%v)(objectClass=inetOrgPerson)"
groupFilter="&(ou=groupsJ2EE)(cn=%v)(objectClass=groupOfNames)"/>
</ldapRegistry>
Still no luck.... any ideas of what could be wrong?
Solution
The filters need to be as below.
<customFilters
id="customFilters"
userFilter="&(uid=%v)(objectClass=inetOrgPerson)"
groupFilter="&(cn=%v)(objectClass=groupOfNames)"
userIdMap="*:uid"
groupMemberIdMap="groupOfNames:member"/>/>
That is assuming that the OpenLdap is configured to use the inetorgperson.schema (an extension schema provided as part of the standard openldap) by adding the line below in slapd.conf
include /usr/local/etc/openldap/schema/inetorgperson.schema
By default OpenLdap does not enable the inetorgperson.schema and in that case the userFilter will need to be something like
&(cn=%v)(objectClass=person)
and userIdMap will be
"*:cn"
Below is a sample ldif file from Open Ldap and a ldap configuration snippet
Ldif
dn: o=ibm,c=in
objectClass: organization
o: ibm
dn: ou=people,o=ibm,c=in
objectClass: organizationalUnit
description: All people in organisation
ou: people
dn: cn=Robert Smith,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9
dn: uid=testUser,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: testUserCN
sn: testUserSN
uid: testUser
dn: ou=groups,o=ibm,c=in
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=testGroup1,ou=groups,o=ibm,c=in
objectClass: groupOfNames
objectClass: top
cn: testGroup1
member: uid=TESTUSER,ou=PEOPLE,o=IBM,c=IN
Config
<ldapRegistry
baseDN="o=ibm,c=in"
ldapType="Custom"
port="389"
host="9.113.58.110"
id="myLdap"
bindDN="cn=root,o=ibm,c=in"
bindPassword="root"
recursiveSearch="true">
<customFilters
id="customFilters"
userFilter="&(uid=%v)(objectClass=inetOrgPerson)"
groupFilter="&(cn=%v)(objectClass=groupOfNames)"
userIdMap="*:uid"
groupMemberIdMap="groupOfNames:member"/>/>
</ldapRegistry>