Management Interface using ldap configured with Elytron using Identity or Rbac Roles
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7
- Elytron
- Jboss Management Interface using ldap
- Elytron Authorization
- Identity Roles
- RBAC Roles
Issue
How is it possible to use Elytron to configure Jboss Management Interface to use Ldap for authentication and authorization ?
Resolution
See section "Diagnostic steps", where a full example showcasing how to use Jboss management interface with Elytron ldap provider is provided.
Root Cause
Jboss Management interface configuration with Ldap provider for authentication and authorization is not described within JBoss documentation.
This issue is tracked in JIRA:
JBEAP-22989 - Boss Documentation does not describe how to use Elytron to configure Management Interface for ldap Authorization
Diagnostic Steps
1. Presentation
Full examples has been developed to show case how to use Elytron Authentication and Authentication.
It is possible to use Elytron using Rbac Roles
or Identity Roles
.
- Example 1 is about Elytron in Standalone mode with
Identity Roles
. - Example 2 is about Elytron in Domain mode with
Identity Roles
. - Example 3 is about Elytron in Standalone mode with
Rbac Roles
. - Example 4 is about Elytron in Domain mode with
Rbac Roles
.
The component used are:
- Jboss 7.4
- RH-DS (Redhat directory server), populated with ldif file /usr/share/dirsrv/data/Example.ldif (provided as attachment).
- Cli scripts for standalone mode and domain mode.
Part I Elytron using Identity Roles - Standalone mode
The jboss cli script is as follows:
batch
#create the Elytron ldap directory context
/subsystem=elytron/dir-context=exampleDC:add(url=ldap://<hostname>:2389, principal="cn=Directory Manager", credential-reference={clear-text=secret})
#create ldap realm, adding to it identity mapping
/subsystem=elytron/ldap-realm=exampleLR:add(dir-context=exampleDC,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})
#role-decoder will expand ldap roles into Jboss role attributes
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
#define a specific security domain
/subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=from-roles-attribute}],default-realm=exampleLR,permission-mapper=default-permission-mapper)
#definehttp-authentication factory
/subsystem=elytron/http-authentication-factory=example-ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
#define sasl authentication factory
/subsystem=elytron/sasl-authentication-factory=example-sasl-auth:add(sasl-server-factory=configured,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=exampleManagementRealm}]}])
#add new http authentification factory to management interface
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-ldap-http-auth)
#add new sasl authentification factory to management interface
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=example-sasl-auth)
#add elytron simple-permission mapper to allow idnetity role suc has "HR Managers","Directory Administrators"
/subsystem=elytron/simple-permission-mapper=RbacPermissionMapper:add(permission-mappings=[{roles=["HR Managers","Directory Administrators"], permission-sets=[{permission-set=login-permission}]}])
#update security domain permission mapper
/subsystem=elytron/security-domain=exampleLdapSD:write-attribute(name=permission-mapper,value=RbacPermissionMapper)
#undefine legacy security-realm for management interface
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
#add identity role-usage to perform Rbac identity mapping with Elytron
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)
reload
run-batch
Part II Elytron using Identity Roles - Domain mode
batch
#Domain mode "Management" setup:
#create the Elytron ldap directory context
/host=master/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret"}, referral-mode=follow)
#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server
#/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,direct-verification="true", identity-mapping={rdn-identifier="uid", search-base-dn="ou=People,dc=example,dc=com", use-recursive-search=false})
#create ldap realm, adding to it identity mapping
/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})
/host=master/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/host=master/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)
#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/host=master/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/host=master/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/host=master/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#6 Optional: Change the management interface to use the configured LDAP method and enable http-upgrade:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)
#7
#add elytron simple-permission mapper to allow idnetity role suc has "HR Managers","Directory Administrators"
/host=master/subsystem=elytron/simple-permission-mapper=RbacPermissionMapper:add(permission-mappings=[{roles=["HR Managers","Directory Administrators"], permission-sets=[{permission-set=login-permission}]}])
#update security domain permission mapper
/host=master/subsystem=elytron/security-domain=ldap-security-domain:write-attribute(name=permission-mapper,value=RbacPermissionMapper)
#add identity role-usage to perform Rbac identity mapping with Elytron
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)
run-batch
Part III - Elytron using rbac controls - Standalone mode
#create the Elytron ldap directory context
/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret12"}, referral-mode=follow)
#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server. Also, this example is specific to Active Directory. Other vendors may require changes like modifying rdn-identifier, modifying attribute mappings from attribute, adding a filter-name or other changes. use-recursive-search may need to be true depending on the LDAP configuration. Also note role-recursion="5", which means that if an LDAP group, contains other groups it will recurse up to 5 times to resolve composite groups.
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)
#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#6Optional: Change the management interface to use the configured LDAP method and enable http-upgrade:
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)
#7 Configure RBAC authorization
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
#8 Configure RBAC RoleMapping with scope Roles
/core-service=management/access=authorization/role-mapping=SuperUser/include=hrmanagers:add(type=GROUP, name="HR Managers")
/core-service=management/access=authorization/role-mapping=SuperUser/include=directoryadministrators:add(type=GROUP, name="Directory Administrators")
#9 reload
reload
Part IV - Elytron using rbac controls - Domain mode
#Domain mode "Management" setup:
#create the Elytron ldap directory context
/host=master/subsystem=elytron/dir-context=ldap-dir-context:add(url="ldap://<hostname>:2389",principal="cn=Directory Manager",credential-reference={clear-text="secret12"}, referral-mode=follow)
#2 Create an LDAP realm and security domain. Be sure to replace the search-base-dn and filter-base-dn to match the LDAP server. Also, this example is specific to Active Directory. Other vendors may require changes like modifying rdn-identifier, modifying attribute mappings from attribute, adding a filter-name or other changes. use-recursive-search may need to be true depending on the LDAP configuration. Also note role-recursion="5", which means that if an LDAP group, contains other groups it will recurse up to 5 times to resolve composite groups.
/host=master/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap-dir-context,\
identity-mapping={search-base-dn="ou=people,dc=example,dc=com",\
rdn-identifier="uid",\
user-password-mapper={from="userPassword"},\
use-recursive-search=true, \
attribute-mapping=[{\
filter-base-dn="ou=groups,dc=example,dc=com",\
filter="uniquemember={1}",\
from="cn",to="Roles"}]})
/host=master/subsystem=elytron/case-principal-transformer=to-lower-case:add(upper-case=false)
/host=master/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/host=master/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=from-roles-attribute}],default-realm=ldap-realm,permission-mapper=default-permission-mapper, pre-realm-principal-transformer=to-lower-case)
#4 Create an http-authentication-factory and enable BASIC & FORM mechanism.
/host=master/subsystem=elytron/http-authentication-factory=ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#5 Create a sasl-authentication-factory for CLI and remoting-connectorand set the authentication mechanism to PLAIN
/host=master/subsystem=elytron/configurable-sasl-server-factory=ldap-sasl-server-factory:add(sasl-server-factory=elytron)
/host=master/subsystem=elytron/sasl-authentication-factory=ldap-sasl-authentication:add(sasl-server-factory=ldap-sasl-server-factory,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=PLAIN,mechanism-realm-configurations=[{realm-name=ldap-realm}]}])
#6Optional: Change the management interface to use the configured LDAP method and enable http-upgrade:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=ldap-http-auth)
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={sasl-authentication-factory=ldap-sasl-authentication})
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade-enabled, value=true)
#7 Configure RBAC authorization
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
#8 Configure RBAC RoleMapping with scope Roles
/core-service=management/access=authorization/role-mapping=SuperUser/include=hrmanagers:add(type=GROUP, name="HR Managers")
/core-service=management/access=authorization/role-mapping=SuperUser/include=directoryadministrators:add(type=GROUP, name="Directory Administrators")
#9 reload
reload --host=master
4. Other interesting pointers
See also other knowledge base articles:
Enabling security Debug/Trace logging in JBoss EAP 6 or 7
Setup LDAP based authentication in JBoss EAP 7.1 or later using Elytron
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments