Management Interface using ldap configured with Elytron using Identity or Rbac Roles

Diagnostic Steps

1. Presentation

Full examples has been developed to show case how to use Elytron Authentication and Authentication.
It is possible to use Elytron using Rbac Roles or Identity Roles.

• Example 1 is about Elytron in Standalone mode with Identity Roles.
• Example 2 is about Elytron in Domain mode with Identity Roles.
• Example 3 is about Elytron in Standalone mode with Rbac Roles.
• Example 4 is about Elytron in Domain mode with Rbac Roles.

The component used are:

• Jboss 7.4
• RH-DS (Redhat directory server), populated with ldif file /usr/share/dirsrv/data/Example.ldif (provided as attachment).
• Cli scripts for standalone mode and domain mode.

Part I Elytron using Identity Roles - Standalone mode

The jboss cli script is as follows:

batch

#create the Elytron ldap directory context
/subsystem=elytron/dir-context=exampleDC:add(url=ldap://<hostname>:2389, principal="cn=Directory Manager", credential-reference={clear-text=secret})

#create ldap realm, adding to it identity mapping 
/subsystem=elytron/ldap-realm=exampleLR:add(dir-context=exampleDC,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})


#role-decoder will expand ldap roles into Jboss role attributes
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)

#define a specific security domain
/subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=from-roles-attribute}],default-realm=exampleLR,permission-mapper=default-permission-mapper)

#definehttp-authentication factory
/subsystem=elytron/http-authentication-factory=example-ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])

#define sasl authentication factory
/subsystem=elytron/sasl-authentication-factory=example-sasl-auth:add(sasl-server-factory=configured,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=exampleManagementRealm}]}])

#add new http authentification factory to management interface
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-ldap-http-auth)


#add new sasl authentification factory to management interface
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=example-sasl-auth)


#add elytron simple-permission mapper to allow idnetity role suc has "HR Managers","Directory Administrators"
/subsystem=elytron/simple-permission-mapper=RbacPermissionMapper:add(permission-mappings=[{roles=["HR Managers","Directory Administrators"], permission-sets=[{permission-set=login-permission}]}])

#update security domain permission mapper
/subsystem=elytron/security-domain=exampleLdapSD:write-attribute(name=permission-mapper,value=RbacPermissionMapper)


#undefine legacy security-realm for management interface
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)


#add identity role-usage to perform Rbac identity mapping with Elytron
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

reload

run-batch

Part II Elytron using Identity Roles - Domain mode

batch


#Domain mode "Management" setup:


#create the Elytron ldap directory context
/host=master/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret"}, referral-mode=follow)


#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server

#/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,direct-verification="true", identity-mapping={rdn-identifier="uid", search-base-dn="ou=People,dc=example,dc=com", use-recursive-search=false})

#create ldap realm, adding to it identity mapping 
/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})

/host=master/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)

/host=master/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)

#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/host=master/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/host=master/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/host=master/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])


#6   Optional:   Change the management interface to use the configured LDAP method and enable http-upgrade:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)

#7
#add elytron simple-permission mapper to allow idnetity role suc has "HR Managers","Directory Administrators"
/host=master/subsystem=elytron/simple-permission-mapper=RbacPermissionMapper:add(permission-mappings=[{roles=["HR Managers","Directory Administrators"], permission-sets=[{permission-set=login-permission}]}])

#update security domain permission mapper
/host=master/subsystem=elytron/security-domain=ldap-security-domain:write-attribute(name=permission-mapper,value=RbacPermissionMapper)

#add identity role-usage to perform Rbac identity mapping with Elytron
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

run-batch

Part III - Elytron using rbac controls - Standalone mode

#create the Elytron ldap directory context
/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret12"}, referral-mode=follow)



#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server. Also, this example is specific to Active Directory. Other vendors may require changes like modifying rdn-identifier, modifying attribute mappings from attribute, adding a filter-name or other changes. use-recursive-search may need to be true depending on the LDAP configuration. Also note role-recursion="5", which means that if an LDAP group, contains other groups it will recurse up to 5 times to resolve composite groups.
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})



/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)

/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)





#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])


#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])


#6Optional: Change the management interface to use the configured LDAP method and enable http-upgrade:
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)


#7 Configure RBAC authorization 
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)

#8 Configure RBAC RoleMapping with scope Roles
/core-service=management/access=authorization/role-mapping=SuperUser/include=hrmanagers:add(type=GROUP, name="HR Managers")
/core-service=management/access=authorization/role-mapping=SuperUser/include=directoryadministrators:add(type=GROUP, name="Directory Administrators")


#9 reload

reload 

Part IV - Elytron using rbac controls - Domain mode

#Domain mode "Management" setup:


#create the Elytron ldap directory context
/host=master/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret12"}, referral-mode=follow)



#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server. Also, this example is specific to Active Directory. Other vendors may require changes like modifying rdn-identifier, modifying attribute mappings from attribute, adding a filter-name or other changes. use-recursive-search may need to be true depending on the LDAP configuration. Also note role-recursion="5", which means that if an LDAP group, contains other groups it will recurse up to 5 times to resolve composite groups.
/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})

/host=master/subsystem=elytron/case-principal-transformer=to-lower-case:add(upper-case=false)

/host=master/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)

/host=master/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper, pre-realm-principal-transformer=to-lower-case)



#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/host=master/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])


#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/host=master/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/host=master/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])


#6Optional: Change the management interface to use the configured LDAP method and enable http-upgrade:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)






#7 Configure RBAC authorization 
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)

#8 Configure RBAC RoleMapping with scope Roles
/core-service=management/access=authorization/role-mapping=SuperUser/include=hrmanagers:add(type=GROUP, name="HR Managers")
/core-service=management/access=authorization/role-mapping=SuperUser/include=directoryadministrators:add(type=GROUP, name="Directory Administrators")


#9 reload

reload --host=master

4. Other interesting pointers

See also other knowledge base articles:

Enabling security Debug/Trace logging in JBoss EAP 6 or 7
Setup LDAP based authentication in JBoss EAP 7.1 or later using Elytron