I have setup LDAP authentication with liferay in my application.
I have kept LDAP enabled and required as true. This way only users with LDAP account would be able to login to portal.
ldap.auth.enabled=true
ldap.auth.required=true
Now I have requirement to create a local liferay group having certain users from LDAP (belonging to my team).
After LDAP authentication, this group would be checked if the user logging in is part of this group then only authentication would be allowed.
So basically I need two groups:
Team group (containing subset of LDAP)
Admin group (Subset of team and will be able to add/remove from team group)
I need help on achieving this.
The issue is, as my LDAP account do not have admin rights once I login to liferay, I do not see any administration options, and won't be able to create group.
Is there anyway I can map some of the LDAP accounts to admin accounts and how do I achieve this in production without doing required flag as false?
Thanks in advance!
If I understand your question well, you need to only grant some of your LDAP user login permission. There are several ways to achieve that :
Filter the users you synch with Liferay, by their DN, or by their LDAP group
Add a custom LoginPreAction event to deny login to certain users
To give users admin role, you can add your custom LoginPostAction, and give them the Administrator role if they meat the criterias
Related
I have two realms in Keycloak "internal" and "external".
As a user (not Admin!) from "internal" realm I would like to get list of users from "external" realm.
There is default Role "view_users" but I guess it's only for the users from the same realm right ?
is it possible as not admin user to access to another realm ?
how it would look like in java Spring Boot ?
This is not possible in Keycloak by design, realms are isolated from each other. The exception to this rule is the master realm. A user that is in the master and has the global admin role is allowed to do everything in all realms.
In addition, there are (automatically generated) management clients for all realms in the master realm, in your case named internal-realm and external-realm. These clients, in turn, have a list of client-roles that allow the user that is in those roles, to perform specific actions. You can read more about this in the Keycloak documentation here.
I need to create an application with authentication and authorization using Java EE 6 (Glassfish Server). I read a lot about Java EE 6 security and just wanted to ask if my concept is correct:
Every user in the company has an account according to "X123456". I want to use this for LDAP Authentication:
Application ---> LDAP
So, I can use the company's infrastructure to authorize the user.
However I want to be in control of the roles in my application. So, I want to define my own roles using JACC. Therefore I will create a database with a user-to-role mapping,
Example: "X123456 -> ADMIN".
The benefits would be:
I don't need to store any password
I can create a kind of admin panel in my application where I can set the existing roles to users dynamically
Do you think this would be technically possible and good practice?
Alternative: Would it be possible to define the roles (Admin, User) in Active Directory and query it via LDAP? So I could outsource my user-to-role mapping into active directory.
Update:
For authentication I currently use a LDAP-Realm (user, password).
For authorization I want to use a database (rolename, user). However I don't know how to tell my application to use the database for authorization. If I would use a JDBC-Realm, I could specify the Group/Role table and column. Is there a way to tell my application to just use the JDBC-Realm for authorization?
I am configuring Liferay with my organization LDAP.
1.While configuring LDAP, I specify "ldap.security.principal" and "ldap.security.credentials" as my user id and password to authenticate against LDAP and test connection succeeds.
Are these mandatory attributes? As in production ,I will not be able to specify my own credentials in portal-ext.properties. Do I need separate user created in LDAP to specify in portal-ext for production? I unfortunately do not have control over configuring LDAP as its an org LDAP.
Any pointers would help. Thanks.
There are several use-cases where you need privileged system account for accessing the LDAP database.
Authentication
There are two basic methods how you can authenticate against LDAP:
Do a BIND operation against LDAP - you need to know the user DN
Do a password attribute comparison - you need to know the user DN, name of attribute with the password, attribute value encoding (e.g. plaintext, hashed, ...)
For both approaches you need to know the distinguished name of the target user:
Either you are able to construct the DN from credentials (e.g. cn={screenName},ou=Users,o=MyOrg) - which is not supported by Liferay AFAIK;
or you need to do LDAP SEARCH to find the right user DN... for that you need to have a system account.
Account Import & Export
Next to pulling user information right when the user authenticates Liferay offers also LDAP import and export functionality. For obvious reasons you need to have a privileged system account to be able to search for users in LDAP and / or to write user entries.
TL;DR
Properties ldap.security.principal and ldap.security.credentials are mandatory (they can be configured also via user interface). You will need to have a dedicated system account for Liferay in the LDAP for this.
We have siteminder authentication and I am able to fetch the screenname(username) from the siteminder.
Now I have to create groups based on the screennames. The groups will be Admin and Others.
If the screenname is under admin group , it will be able to access each and everything else if the screenname is under other group, a different homepage should appear containing only the links which other group can access.
How do I achieve this?
I have tried to use Realm, user,group roles method but it is prompting for username and password. Also I dont want to use any username and password because I want to filter on the basis of screennames.
PS: I dont have knowledge of spring framework and other framework. I know only JSP and Servlets.
Regards,
Ethan
i have three active directory servers different address,port and domain name and all
In my app when user log-in the system i have to authenticate. The user provide his username and password only not the domain name or ip address.
How can i authenticate him, whether i have to loop through the all the ldap server and when i get the Context i have to break it .. or is any other possible solution is there for authenticate a user in multiple servers
please suggest. thanks in advance
If the user gives his FDN or UPN (User Principal Name) instead of just an user name it will be helpful. But still there is no guarantee that upn will match your realm name. If he gives FDN then atleast you can cache defaultNamingContext from all the three server and try to match it with the fdn provided by the user and authenticate him against the matching server.
But I guess he is providing the samAccountName in your case. In this case we dont have any clue to identify the server. You have to go through one by one and probably cache it which server he is authenticated against for next time performance improvment. Its also possible that the same username exist in multiple AD. You have to handle this case based on your AD environment.
as a additional note, if its web application try using spring's ldapTemplate. This might ease your task.