10.3. Roles and LDAP User Groups
10.3.1. About Group Authorization
Figure 10.2. Groups Assigned to a Role
- An LDAP directory server connection has to be configured.
- There has to be an LDAP attribute given to search for group entries.For Active Directory, this is generally the
groupobject class. For Red Hat Directory Server, this is generally
groupOfUniqueNames. Other standard object classes are available, and it is also possible to use a custom, even JBoss ON-specific, object class.
- There has to be an LDAP attribute given to identify members in the group.Common member attributes are
memberattribute on an Active Directory group:
ldapsearch -h server.example.com -x -D "cn=Administrator,cn=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
-x '(&(objectclass=group)(member=CN=John Smith,CN=Users,DC=example,DC=com))'
groupOfUniqueNamesgroups more commonly than
group. For example:
/usr/lib64/mozldap6/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "ou=People,dc=example,dc=com" -s sub
10.3.2. Associating LDAP User Groups to Roles
- In the top menu, click the Administration tab.
- In themenu table on the left, select the item.
- Jump to the LDAP Configuration Properties area.
- Set up the LDAP connections, as described in Section 10.2.3, “Configuring LDAP User Authentication”. It is not required that the LDAP directory be used as the identity store in order to configure LDAP authorization, but it is recommended.
- Set the parameters to use for the server to use to search for LDAP groups and their members.The search filter that JBoss ON constructs looks like this:
The user_DN is dynamically supplied by JBoss ON when a user logs into the UI.
- The Group Search Filter field sets how to search for the group entry. This is usually done by specifying the type of group to search for through its object class:
- The Group Member Filter field gives the attribute that the specified group type uses to store member distinguished names. For example:
- Save the LDAP settings.