| Author |
Message
|
| Esa |
 Posted: Fri Mar 09, 2012 7:40 am Post subject: Security profile for AD |
 |
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
I have some trouble trying to authorize a web service request for Active Directory nested group members.
My best effort for a security profile looks like this:
| Code: |
nestedProfile
authentication='LDAP'
authenticationConfig='ldaps://LDAPServer.somecompany.com:3269/dc=global,dc=somecompany,dc=com?sAMAccountName'
authorization='LDAP'
authorizationConfig='ldaps://LDAPServer.somecompany.com:3269/dc=global,dc=somecompany,dc=com?(memberof:1.2.840.113556.1.4.1941:=(CN=Somegroup,OU=Groups,DC=global,DC=somecompany,DC=com))'
keyStore='Reserved for future use'
mapping='NONE'
mappingConfig=''
passwordValue='PLAIN'
propagation='TRUE'
trustStore='Reserved for future use' |
but it does not authorize users belonging to nested groups. Probably not even direct members, that's something I cannot test at the moment. Unfortunately the call is using SSL and I cannot use iptrace to check what kind of query the LDAP security provider actually makes.
Message Broker 6.1.0.5 |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Mar 09, 2012 11:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Can you use a custom socket class that is:
normal socket -> log-> sslsocket
Just an idea 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Esa |
| Posted: Mon Mar 12, 2012 2:14 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
I could not find a proper command line ldapseach to run on my windows workstation to test the query. But I found an LDAP browser with a graphical UI. With that it was easy to figure out what was wrong: the AD groups had been set up incorrectly. The group that was supposed to be nested was in fact nesting the other.
Back to square one after the groups have been corrected. Maybe there is no problem at all. |
|
| Back to top |
|
|
| Esa |
| Posted: Tue Mar 13, 2012 5:47 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
Yes, there is a problem.
My security profile in my original post is, of course, totally wrong. Because I thought the LDAP security provider is constructing an LDAP query for testing the users membership in the group. For that kind of query you could apply the AD specific LDAP_MATCHING_RULE_IN_CHAIN search filter 1.2.840.113556.1.4.1941.
Instead, the security provider seems to fetch the list of members by querying member attribute of the base group. I can see why, it is certainly easier to cache the list of members than membership info by user id.
I haven't found any way to tweak it to use memberOf search filter instead. I wonder if anybody has raised a PMR about this and got a private APAR with support for AD nested groups?
One reason why the security profider does not recursively search member groups is certainly performance. In our environment it takes 55 seconds to get a list of members for a group with a typically large number of nested groups. While testing an individual users membership takes less than one second (the LDAP browser does not report fractions of second).
Does anybody know how to enable debug trace for the LDAP security provider?
I guess the LDAP security provider does not have an API like MQ ODM that would allow you to plug in your own implementation? Or write an exit to tweak the query? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 13, 2012 6:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I thought there was a defined java LDAP interface?? Could be wrong though...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Esa |
| Posted: Tue Mar 13, 2012 6:50 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
| fjb_saper wrote: |
| I thought there was a defined java LDAP interface?? Could be wrong though... |
Yes, JNDI. But instead of coding PEPs by hand within message flows I would rather consider externalizing security to a gateway product. Before anyone says it, in this case DP happens to be out of question.
Message Broker security is incomprehensive by design, to give customers more reasons to buy TFIM, which certainly can handle AD nested groups...
Last edited by Esa on Tue Mar 13, 2012 6:56 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Mar 13, 2012 6:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Esa wrote: |
| fjb_saper wrote: |
| I thought there was a defined java LDAP interface?? Could be wrong though... |
Yes, JNDI. But instead of coding PEPs by hand within message flows I would rather consider externalizing security to a gateway product. Before anyone says it, in this case DP happens to be out of question.
|
I believe that FJ was suggesting that you write your own LDAP server that would gateway into your AD.
I don't think it's a great idea, myself, however. |
|
| Back to top |
|
|
|
|
