| Author |
Message
|
| marcin.kasinski |
 Posted: Mon Dec 15, 2014 12:37 am Post subject: LDAP Check if user is in group |
 |
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
Environment:
MB 8.0.0.3
LDAP: AD
In my flow I do LDAP authentication base on http request.
After HTTP Input I can read authenticated user name from IdentitySourceToken field.
Here everthing works fine.
Then I read dynamically ldap group name from WSRR.
Next what I have to do is checking is my authenticated user belongs to group red from WSRR.
My question is:
Can I do this check using MB standardo functionality (security PEP) or I have to write my own code to made this check ?
Thank you for any help.
_________________
Marcin
Last edited by marcin.kasinski on Mon Dec 15, 2014 10:04 am; edited 1 time in total |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Dec 15, 2014 6:03 am Post subject: Re: LDAP Check if user is in group |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| marcin.kasinski wrote: |
| Can I do this check using MB standardo functionality (security PEP) |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Mon Dec 15, 2014 10:03 am Post subject: Re: LDAP Check if user is in group |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| Vitor wrote: |
| marcin.kasinski wrote: |
| Can I do this check using MB standardo functionality (security PEP) |
|
Than you Vitor for you reply.
Can you give me any hint ?
I spend last few days searching this.
I know that using PEP I can dynamically set username for my check , but what about dynamically choose group.
In SecurityProfiles I can set authorization group by setting authorizationConfig parameters.
This parameter is static.
Can you tell me how I can set group for authorization dynamically and perform LDAP check if user belongs to group ?
_________________
Marcin |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 15, 2014 10:15 am Post subject: Re: LDAP Check if user is in group |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| marcin.kasinski wrote: |
| Can you tell me how I can set group for authorization dynamically and perform LDAP check if user belongs to group ? |
I'd thought you can pass this to the SecurityPEP node, but a closer inspection of the documentation indicates I may be mistaken on this. 
Rather than take this strongpoint head on, allow me to outflank it for a moment. What criteria are you using to lookup the LDAP group name in WSRR and why is that name in there anyway? It seems almost backwards as you must still add the user id to 1-n LDAP groups anyway that the group names would be dynamic at run time. You couldn't (for example) invent a new group on the fly, add it to WSRR and have WMB use it to authorize a given function as you'd need to create the LDAP group and add all the users to it. Typically this process is not dynamic and takes a period of time directly proportional to the sensitivity of the business function.
So what exactly are you going for here? Perhaps there's another way to achieve this without custom Java.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Mon Dec 15, 2014 10:47 am Post subject: Re: LDAP Check if user is in group |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
What I have to do is some kind of HTTP gateway:
-read from HTTP Input node user and password and authenticate user using LDAP (This is not part of my question)
-send query to WSRR and read response where in one element there is LDAP group name (This is not part of my question)
-perform LDAP check if user from request belongs to LDAP group red from WSRR (This is my question)
- ... (The rest is not part of my question)
I hope now it is clear and you can tell me if I can do it using standard WMB functionality or I schould do it using custom JAVA.
Thanks for reply
_________________
Marcin |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 15, 2014 12:11 pm Post subject: Re: LDAP Check if user is in group |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| marcin.kasinski wrote: |
| What I have to do is some kind of HTTP gateway: |
Urgh.
| marcin.kasinski wrote: |
| I hope now it is clear and you can tell me if I can do it using standard WMB functionality or I schould do it using custom JAVA. |
I think you're in custom Java territory. With luck, someone brighter than me will be along in a minute with a cunning plan.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| martinb |
| Posted: Mon Dec 15, 2014 2:10 pm Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
As you've said the Security Profile provides the configuration on which LDAP Group will be checked for membership to implement an Authorization check through the IIB Message Flow Security Manager.
Additionally the Security profile is statically configured to the SecurityPEP node.
I assume there are a set of LDAP groups that correspond to the remote service the gateway is forwarding the request to.
Typically this kind of destination based authorization would be done by having IIB issue a WS-Trust request to a external federated security provider. The WS-Trust request can provide "applies to" details.
I guess if you built your solution more as a finite "routing" flow, you could put a SecurityPEP node with a suitable security profile in each branch.
However I think to do this fully dynamic authorization against LDAP you have to roll your own LDAP check in a Java compute node. |
|
| Back to top |
|
|
|
|
