从用户的多个OU递归查询LDAP角色

Question

I am running a Web Application on a WildFly 9.0.2 Server with a Custom Login Realm (which needs to recursively query multiple Organizational Units A for Organizational Units B that are queried from Organizational Units C for a user) that is configured in the standalone.xml like so:

<security-realm name="LoginRealm">
   <authentication>
       <ldap connection="EC2" base-dn="ou=users,dc=test,dc=de">
           <username-filter attribute="uid"/>
       </ldap>
   </authentication>
</security-realm>
...
<security-domain name="other" cache-type="default">
    <authentication>
        <login-module code="de.test.LoginModule" flag="required">
            <module-option name="principalDNPrefix" value="uid="/>
            <module-option name="principalDNSuffix" value=",ou=users,dc=test,dc=de"/>
            <module-option name="rolesCtxDN" value="ou=groups,dc=test,dc=de"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="roleAttributeIsDN" value="false"/>
            ...

The user logs in on the website by providing his username (eg testA), password (eg whatever) and selecting a UserGroup from a dropdown menu (eg UserGroupA). Then the custom login module (de.test.LoginModule.class) which extends the LdapLoginModule performs a lookup of the roles by building the principal string by taking the prefix from the standalone xml and adding the suffix after that
eg prefix: uid=
Build by LoginModule: testA,ou=UserGroupA
Suffix: ,ou=users,dc=test,dc=de
Resulting in: uid=testA,ou=UserGroupA,ou=users,dc=test,dc=de which right now works perfectly. The roles from ou=groups,dc=test,dc=de are retrieved and the security constraints defined in the web.xml with the according roles are executed.

<security-constraint>
    <display-name>Test-Service</display-name>
    <web-resource-collection>
        <web-resource-name>Test</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>Only Project Processors may see this</description>
        <role-name>Project Processor</role-name>
    </auth-constraint>      
</security-constraint>

Now the Organizational Unit "ProjectControlCenter" was added to the LDAP tree structure, which looks like so:

dc=test,dc=de
|-- ou=applications
|    |-- ou=ProjectControlCenter
|    |    |-- ou=permissions
|    |    |    |-- cn=group.Project Processor.manage
|    |    |    |-- cn=group.Project Processor.read
|    |    |    |-- cn=group.Project Monitorer.read
|    |    |    |-- ...
|    |    |-- ou=resources
|    |    |    |-- cn=ProjectControlCenter.Applicaton
|    |    |    |-- cn=ProjectControlCenter.List
|    |    |    |-- cn=ProjectControlCenter.System
|    |    |    |-- ...
|-- ou=groups
|    |    |-- cn=Project Processor
|    |    |-- cn=Project Monitorer
|    |    |-- ...
|    |-- ou=users
|    |    |-- ou=UserGroupA
|    |    |    |-- uid=testA
|    |    |    |-- uid=testB
|    |    |    |-- uid=testC
|    |    |-- ou=UserGroupB
|    |    |-- ...

Now I need to query not only the roles as the ou=groups,dc=test,dc=de but also all the ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de where the assigned roles are a unique member of and add that to the user. Furthermore another query would be needed to get all the ou=resources,ou=ProjectControlCenter,ou=applications,dc=test,dc=de where the ou=permissions,ou=ProjectControlCenter,ou=applications,dc=test,dc=de are a unique member of, adding it to the user as well.

So the question is: Is there any way to recursively query all groups for a certain user, permissions for those groups and resources for those permissions through LDAP configurations, or do I need to overload the createLdapInitContext(String username, Object credential) method of the LdapLoginModule.class to achieve the needed queries?

Answer 1

Its possible but to certain extent only. Your use case seems to be quite complicated and I personally would avoid that kind of design. Not sure if you checked already but your questions seems related to one here .