Ldap role-based authorization

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Ldap role-based authorization

yoron
Hello Yan,

We are using ldap to authenticate and authorize access to applications in our services.
As part of that, we have a roles mechanism.
I would like to authorize only those users who have a certain role to login to glu.
The existing configuration knobs (ldap.ser.url etc) are missing such options, could you please advise as to what would be the best way to integrate ldap roles into glu?

Thanks,
Yotam.
Reply | Threaded
Open this post in threaded view
|

Re: Ldap role-based authorization

frenchyan
Administrator
There are 2 ways this can be accomplished. 

1) add a plugin (for the console) that defines the UserService_pre_authenticate (and which essentially bypass entirely the glu mechanism)

ex:

class MyPlugin {

def UserService_pre_authenticate = { args ->
  def username = args.authToken.username
  def password = new String(args.authToken.password)

  // check with ldap, group, etc...

  def authorized = ...

  if(authorized)
    return username
  else
    throw new AccountException("not the right ldap group")
}
}

And check the class ShiroLdapRealm.groovy  https://github.com/pongasoft/glu/blob/master/console/org.linkedin.glu.console-webapp/grails-app/realms/org/linkedin/glu/console/realms/ShiroLdapRealm.groovy which contains some example code about ldap access (this is the one which calls the plugin)
2) submit a pull request integrating this change to ShiroLdapRealm.groovy if you think you can make it generic enough and useful for everybody else (ex: ldap.user.group config parameter) and I will integrate it in the source base.

I don't know a lot about ldap so I am not sure what would be generic :)

Yan

Reply | Threaded
Open this post in threaded view
|

Re: Ldap role-based authorization

yoron
Hi Yan,

Thanks for your reply, I think will take the plugin route, will let you know how it went.

Thanks,
Yotam.
Reply | Threaded
Open this post in threaded view
|

Re: Ldap role-based authorization

frenchyan
Administrator
Yes please. If you can share the code once you are done that would be sweet :) We could put it in https://github.com/pongasoft/glu-contribs

Yan