Role Manager and Directory Server Integration


Last week at work there were some discussions about Sun Role Manager (SRM) and its use of LDAP Server for authentication. I tested this Role Manager integration with Sun Directory Sever version 6.3 as my LDAP server and I am sharing some information about this setup. The high level steps for this integration are as follows:

1) Configure the Role Manager (SRM) "ldap.properties" file to reflect your Directory Server (DS) settings. The following document discusses the "ldap.properties" file settings:
http://wikis.sun.com/display/Srm5Docs/Integrating+With+LDAP

2) For the users that you want to allow access to SRM, create corresponding users with "uid" in DS same as "username" of SRM (RBACx) users. We are assuming that "uid" attribute will be used for authentication to directory server.

3) To verify that the setup is working correctly, edit the log4j.properties of your SRM installation and add the following property:
log4j.logger.com.vaau.commons.springframework.security.dao=DEBUG
Restart the application server after adding the above line. This DEBUG setting is only being added for verification purposes and should be removed once the setup is working correctly.

4) Login to SRM GUI using credentials of a valid Sun Directory Server user that also has a SRM(RBACx) user account. In my example below, DS "uid" of "manish" is used for authentication and for this "uid" there is a corresponding SRM(RBACx) "username" in SRM. If you have this setup correctly, you should expect to see logs similar to following lines in rbacx.log file:

21:19:18,125 DEBUG [MultipleChainablePasswordDaoAuthenticationProvider] ----> using authentication dao [com.vaau.commons.springframework.security.dao.ldap.LdapPasswordAuthenticationDao-AT-1b42301]
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ---> attempting authentication for user 'manish'
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ------> looking for user 'manish' in cache
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ------> loading user 'manish' from backend
21:19:18,125 DEBUG [LdapPasswordAuthenticationDao] Connecting to ldap://xxx.yyy.com:389/dc=example,dc=com/null as manish
21:19:18,130 DEBUG [LdapPasswordAuthenticationDao] keeping ldap context prefix
21:19:18,212 DEBUG [LdapPasswordAuthenticationDao] Returning user: com.vaau.rbacx.security.domain.SecureUser@d3e04c00: Username: manish; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ACCESS_IDC_VIEW, ROLE_AUTHENTICATED_PRINCIPAL: Internal RbacxUser: Last name: kapur; First name: manish; Email: manish@example-DOT-com
21:19:18,214 DEBUG [PasswordDaoAuthenticationProvider] ------> loaded user 'manish' from backend
21:19:18,214 DEBUG [PasswordDaoAuthenticationProvider] ------> putting user 'manish' in cache
21:19:18,215 DEBUG [PasswordDaoAuthenticationProvider] ---> successful authentication for user 'manish'

Now let's try logging in to SRM GUI with a valid LDAP user who does not have a SRM(RBACx) account.  When using a DS "uid" that does not have a corresponding SRM(RBACx) "username" the access to SRM GUI should not be allowed. In my example, I used "uid" of "denck" and made sure that "denck" "username" does not exist in my SRM setup. The rbacx.log entries in this case should look like follows:

11:59:25,598 DEBUG [MultipleChainablePasswordDaoAuthenticationProvider] ----> using authentication dao [com.vaau.commons.springframework.security.dao.ldap.LdapPasswordAuthenticationDao@4d080d]
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ---> attempting authentication for user 'denck'
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ------> looking for user 'denck' in cache
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ------> loading user 'denck' from backend
11:59:25,598 DEBUG [LdapPasswordAuthenticationDao] Connecting to ldap://xxx.yyy.com:389/dc=example,dc=com/null as denck
11:59:25,601 DEBUG [LdapPasswordAuthenticationDao] keeping ldap context prefix
11:59:25,602 DEBUG [CacheModel] Cache 'RbacxUser.rbacxUserCache': cache miss
11:59:25,603 DEBUG [CacheModel] Cache 'RbacxUser.rbacxUserCache': stored object '[B@1792c41'
11:59:25,603 WARN  [UserManagerImpl] RbacxUser with username: 'denck' not found
11:59:25,604 ERROR [MultipleChainablePasswordDaoAuthenticationProvider] ERROR: Bad Credentials
org.springframework.security.BadCredentialsException: User does not have RBACx account!
....

That's it! Wasn't it easy? Once you have this integration working, remember to remove the DEBUG log property that was added in step 3 above.


Comments:

Post a Comment:
Comments are closed for this entry.
About

manish

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today