Announcement Announcement Module
Collapse
No announcement yet.
Spring LDAP Authentication + FreeIPA (nested groups) Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring LDAP Authentication + FreeIPA (nested groups)

    I'm attempting to configure spring-security to use LDAP against our FreeIPA server. The problem is that much like ActiveDirectory, FreeIPA uses nested groups.

    However, they do provide the "memberOf" attribute on the user, and I was wondering if it's possible to use that for filling in roles?

    for example, when I do a search for myself in our ldap server:

    ldapsearch -h x -b "cn=users,cn=accounts,dc=example,dc=com" \
    -D "uid=RangerRick,cn=users,cn=accounts,dc=example,dc =com" \
    -w "x" "(uid=RangerRick)"

    Code:
    # extended LDIF
    #
    # LDAPv3
    # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
    # filter: (uid=RangerRick)
    # requesting: ALL
    #
    
    # RangerRick, users, accounts, example.com
    dn: uid=RangerRick,cn=users,cn=accounts,dc=example,dc=com
    krbLastSuccessfulAuth: 20130419182440Z
    krbLoginFailedCount: 0
    krbLastFailedAuth: 20130418191719Z
    displayName: Ranger Rick
    cn: Ranger Rick
    objectClass: top
    objectClass: person
    objectClass: organizationalperson
    objectClass: inetorgperson
    objectClass: inetuser
    objectClass: posixaccount
    objectClass: krbprincipalaux
    objectClass: krbticketpolicyaux
    objectClass: ipaobject
    objectClass: mepOriginEntry
    loginShell: /bin/bash
    sn: Rick
    gecos: Ranger Rick
    ...
    mepManagedEntry: cn=RangerRick,cn=groups,cn=accounts,dc=example,dc=com
    memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
    memberOf: cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com
    memberOf: cn=customers,cn=groups,cn=accounts,dc=example,dc=com
    memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
    ...as you can see, it has multiple "memberOf" entries that map to the flat list of effective groups the user is in. I'd like each of these to be turned into roles.

    I've attempted this:

    Code:
        <security:authentication-manager>
          <security:ldap-authentication-provider 
            user-search-filter="(uid={0})"
            user-search-base="cn=users,cn=accounts,dc=example,dc=com"
            group-search-filter="(uid={1})"
            group-search-base="cn=users,cn=accounts,dc=example,dc=com"
            group-role-attribute="memberOf"
            role-prefix="ROLE_"
          />
        </security:authentication-manager>
    ...but it doesn't seem to do what I was hoping.

    Is there a reasonable way to do this?
Working...
X