[英]Recursively query LDAP roles from multiple OUs for a User
I am running a Web Application on a WildFly 9.0.2 Server with a Custom Login Realm (which needs to recursively query multiple Organizational Units A for Organizational Units B that are queried from Organizational Units C for a user) that is configured in the standalone.xml like so: 我在WildFly 9.0.2服务器上运行Web应用程序,该服务器具有自定义登录领域(需要以递归方式查询为组织单位B查询的组织单位B的多个组织单位A,该组织单位为独立配置)。像这样的xml:
<security-realm name="LoginRealm">
<authentication>
<ldap connection="EC2" base-dn="ou=users,dc=test,dc=de">
<username-filter attribute="uid"/>
</ldap>
</authentication>
</security-realm>
...
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="de.test.LoginModule" flag="required">
<module-option name="principalDNPrefix" value="uid="/>
<module-option name="principalDNSuffix" value=",ou=users,dc=test,dc=de"/>
<module-option name="rolesCtxDN" value="ou=groups,dc=test,dc=de"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
...
The user logs in on the website by providing his username (eg testA), password (eg whatever) and selecting a UserGroup from a dropdown menu (eg UserGroupA). 用户通过提供他的用户名(例如testA),密码(例如,无论如何)并从下拉菜单(例如UserGroupA)中选择UserGroup来登录网站。 Then the custom login module (de.test.LoginModule.class) which extends the LdapLoginModule performs a lookup of the roles by building the principal string by taking the prefix from the standalone xml and adding the suffix after that
然后,扩展LdapLoginModule的自定义登录模块(de.test.LoginModule.class)通过从独立xml获取前缀并在此之后添加后缀来构建主体字符串来执行角色查找。
eg prefix: uid=
例如前缀:
uid=
Build by LoginModule: testA,ou=UserGroupA
通过LoginModule构建:
testA,ou=UserGroupA
Suffix: ,ou=users,dc=test,dc=de
后缀:
,ou=users,dc=test,dc=de
Resulting in: uid=testA,ou=UserGroupA,ou=users,dc=test,dc=de
which right now works perfectly. 导致:
uid=testA,ou=UserGroupA,ou=users,dc=test,dc=de
现在可以正常工作。 The roles from ou=groups,dc=test,dc=de
are retrieved and the security constraints defined in the web.xml with the according roles are executed. 检索来自
ou=groups,dc=test,dc=de
的角色,并执行web.xml中定义的具有相应角色的安全约束。
<security-constraint>
<display-name>Test-Service</display-name>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only Project Processors may see this</description>
<role-name>Project Processor</role-name>
</auth-constraint>
</security-constraint>
Now the Organizational Unit "ProjectControlCenter" was added to the LDAP tree structure, which looks like so: 现在,组织单元“ProjectControlCenter”已添加到LDAP树结构中,如下所示:
dc=test,dc=de
|-- ou=applications
| |-- ou=ProjectControlCenter
| | |-- ou=permissions
| | | |-- cn=group.Project Processor.manage
| | | |-- cn=group.Project Processor.read
| | | |-- cn=group.Project Monitorer.read
| | | |-- ...
| | |-- ou=resources
| | | |-- cn=ProjectControlCenter.Applicaton
| | | |-- cn=ProjectControlCenter.List
| | | |-- cn=ProjectControlCenter.System
| | | |-- ...
|-- ou=groups
| | |-- cn=Project Processor
| | |-- cn=Project Monitorer
| | |-- ...
| |-- ou=users
| | |-- ou=UserGroupA
| | | |-- uid=testA
| | | |-- uid=testB
| | | |-- uid=testC
| | |-- ou=UserGroupB
| | |-- ...
Now I need to query not only the roles as the ou=groups,dc=test,dc=de
but also all the ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
where the assigned roles are a unique member of and add that to the user. 现在我不仅需要查询角色为
ou=groups,dc=test,dc=de
,还要查询所有ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
其中指定的角色是一个独特的成员,并将其添加到用户。 Furthermore another query would be needed to get all the ou=resources,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
where the ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
are a unique member of, adding it to the user as well. 此外,还需要另一个查询来获取所有
ou=resources,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
其中ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de
是一个独特的成员,也将其添加到用户。
So the question is: Is there any way to recursively query all groups for a certain user, permissions for those groups and resources for those permissions through LDAP configurations, or do I need to overload the createLdapInitContext(String username, Object credential)
method of the LdapLoginModule.class to achieve the needed queries? 所以问题是:有没有办法递归查询某个用户的所有组,这些组的权限以及通过LDAP配置获得这些权限的资源,或者我是否需要重载
createLdapInitContext(String username, Object credential)
方法LdapLoginModule.class实现所需的查询?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.