search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.6k stars 2.63k forks source link

LDAP Security - document active directory #10270

Open hyperman1 opened 4 years ago

hyperman1 commented 4 years ago

If all these are fixed, you might want to document how to use active directory with the ldap plug in.

https://github.com/quarkusio/quarkus/issues/10110 - setRecursive https://github.com/quarkusio/quarkus/issues/10258 - same ldap quary multiple times https://github.com/quarkusio/quarkus/issues/10259 - config can differ between dev and prod https://github.com/quarkusio/quarkus/issues/10264 - group to role mapping https://github.com/quarkusio/quarkus/issues/10267 - cache ldap results

Here is an example for application.properties:

    quarkus.security.ldap.enabled=true
    quarkus.security.ldap.realm-name=somename
    quarkus.security.ldap.direct-verification=true

    #Use a tool as dsquery or adexplorer to find out how your dn's are organized
    quarkus.security.ldap.dir-context.principal=CN=Some_account,OU=Services,OU=Accounts,OU=MainOffice,OU=Departments,DC=example,DC=com
    #Choose ldap:// or ldaps:// and choose theport number based on normal or global catalog
    quarkus.security.ldap.dir-context.url=ldap://activedirectoryserver.example.com:3268
    quarkus.security.ldap.dir-context.password=Password for Some_account
    #I only tested sAMAccountName, but userPrincipalName might also be a good choice
    quarkus.security.ldap.identity-mapping.rdn-identifier=sAMAccountName
    #The deepest OU shared by all employees
    quarkus.security.ldap.identity-mapping.search-base-dn=OU=Departments,DC=example,DC=com

    #map the common name from a filter to the 'groups' attribute
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".from=cn
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".to=groups
    #This filter searches for all groups that have your dn as member. 
    #Most important is (member:1.2.840.113556.1.4.1941:={1})
    # which returns all groups (recursively) that have the cn {1} as member 
    #As this might be extremely slow, we limit the filter to only the groups that are of interest for this application
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter=(&(|(CN=GROUP1)(CN=GROUP2)(CN=more groups as needed here)(member:1.2.840.113556.1.4.1941:={1}))
    #The deepest OU shared by all security groups
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter-base-dn=OU=Departments,DC=example,DC=com

    #Now you'll need a mechanism to map groups to roles, which does not exist in quarkus today.  
    #Check https://github.com/quarkusio/quarkus/issues/10264 for the correct syntax
    quarkus.security.grouptorole.GROUP1=user
    quarkus.security.grouptorole.GROUP2=user,admin
joel-rv commented 1 month ago

👀