RFE: support external authorization LDAP server

[pki-bot]

This issue was migrated from Pagure Issue #1174. Originally filed by cfu (@cfu) on 2014-10-06 20:44:45:

• Closed as Fixed
• Assigned to ftweedal (@frasertweedale)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1155800

---

Currently the existing directory-based authentication does not provide group information in the returned AuthToken, and the existing authorization evaluation does not evaluate such group membership if it is not in the internaldb. We should

1. add new authentication implementation to retrieve and provide group info (v.s. modifying existing one, as such search could add to the authentication time)
2. add new evaluator to evaluate such group membership that's outside of internaldb

[pki-bot]

Comment from cfu (@cfu) at 2015-02-24 04:46:21

plugin for rhcs8.1 UseridPwdDirAuthentication.java

[pki-bot]

Comment from cfu (@cfu) at 2015-02-24 04:46:41

base plugin for rhcs8.1 DirBasedAuthentication.java

[pki-bot]

Comment from cfu (@cfu) at 2015-02-24 04:46:59

build script for rhcs8.1 build.sh

[pki-bot]

Comment from cfu (@cfu) at 2015-02-24 05:01:57

The above plugin code and build script are for rhcs8.1. They are attached here for conversion to Dogtag. The code is rough and needs cleaning and review.

Here is how I build on rhcs8.1: Say, the attached files are downloaded into a directory called plugins,

1. edit build.sh : JAVA_FILES=DirBasedAuthentication.java ./build.sh
2. edit build.sh : JAVA_FILES=UseridPwdDirAuthentication.java ./build.sh
3. after the above compilation, you will find the class files under: plugins/com/netscape/cms/authentication/ where you will find: DirBasedAuthentication.class UseridPwdDirAuthentication.class

Here is how to make cs run with these plugins:

1. cd /webapps/ca/WEB-INF/classes
2. mkdir -p com/netscape/cms/authentication
3. cp (from the above directory) UseridPwdDirAuthentication.class DirBasedAuthentication.class com/netscape/cms/authentication
4. For the authentication plugin: edit CS.cfg: add auths.impl.UseridPwdDirAuth.class=com.netscape.cms.authentication.UseridPwdDirAuthentication change auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth to auths.instance.UserDirEnrollment.pluginName=UseridPwdDirAuth
5. Restart the server and try.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-02-24 23:20:58

Per 10.2.2 Triage meeting of 02/24/2015: 10.2.2 (need to determine who can work on this)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2015-03-16 08:27:08

merged patch pki-frasertweedale-0027-5-Store-groups-on-AuthToken-and-update-group-evaluator.patch

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2015-03-16 08:27:53

pushed to master (f98e599)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2015-03-25 09:08:12

Configuration options:

• groupsEnable: boolean, enable retrieval of groups (default = false)
• groupsBasedn: basedn of groups, if different from default basedn
• groups: DN component for groups (default = ou=groups)
• groupObjectClass: group object class ∈ {groupofuniquenames, groupofnames} (default = groupofuniquenames)
• groupUseridName: name of user id attribute in group object member attribute (default = cn)
• useridName: name of user id DN component (default = uid)
• searchGroupUserByUserdn: boolean, whether to search group object member attribute for userdn or ${groupUserIdName}=${uid} (default: true)

Example configuration.

Add to conf/ca/CS.cfg:

auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
auths.instance.UserDirEnrollment.ldap.basedn=cn=users,cn=accounts,dc=ipa,dc=local
auths.instance.UserDirEnrollment.ldap.groupObjectClass=groupofnames
auths.instance.UserDirEnrollment.ldap.groups=cn=groups
auths.instance.UserDirEnrollment.ldap.groupsBasedn=cn=accounts,dc=ipa,dc=local
auths.instance.UserDirEnrollment.ldap.groupsEnable=true
auths.instance.UserDirEnrollment.ldap.ldapconn.host=ipa-2.ipa.local
auths.instance.UserDirEnrollment.ldap.ldapconn.port=636
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=true

Finally you must tell a profile to use the UserDirEnrollment auth instance defined in CS.cfg, and (if appropriate in your case) provide an ACL for authorization based on groups, in ca/profiles/ca/<profile_id>.cfg. The following is an example only; see also general ACL documentation:

auth.instance_id=UserDirEnrollment
authz.acl=group="cn=devlab-access,ou=engineering,dc=example,dc=com"

[pki-bot]

Comment from cfu (@cfu) at 2017-02-27 14:11:58

Metadata Update from @cfu:

• Issue assigned to frasertweedale
• Issue set to the milestone: 10.2.2