Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide an LDAP integration #32

Closed
estepper opened this issue Nov 21, 2023 · 2 comments
Closed

Provide an LDAP integration #32

estepper opened this issue Nov 21, 2023 · 2 comments
Assignees
@estepper
Labels
cdo-core CDO Model Repository (Core) enhancement New feature or request
Milestone
4.25

Comments

@estepper
Copy link
Contributor

In the past ISecurityManager provided support for both user authentication and data authorization by providing a security realm model. The realm model is stored in the protected repository and contains its roles, users and groups. This realm model based approach is not so suitable for scenarios where the user and group information is already stored in external systems such as LDAP. In addition the data access rules are often purely application (code) dependent and not dynamic, so that a realm model in the repository can become a burden.

As a consequence we need a more flexible replacement for the realm-based ISecurityManager, which will be called IRepositoryProtector.
@estepper estepper added enhancement New feature or request cdo-core CDO Model Repository (Core) labels Nov 21, 2023
@estepper estepper added this to the 4.25 milestone Nov 21, 2023
@estepper estepper self-assigned this Nov 21, 2023
@estepper
Copy link
Contributor Author

estepper commented Nov 21, 2023
edited
Loading

Here's an example of the cdo-server.xml markup of the new IRepositoryProtector with an LDAP user authenticator:

    <protector>
      <userAuthenticator type="ldap">
        <environment id="base">
          <property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
          <property name="java.naming.provider.url" value="ldap://localhost:10389"/>
          <property name="java.naming.security.authentication" value="simple"/>
        </environment>
        
        <environment id="bind" inherits="base">
          <property name="java.naming.security.principal" value="$$$system_property(CDO_BIND_DN)$$$"/>
          <property name="java.naming.security.credentials" value="$$$system_property(CDO_BIND_PW)$$$"/>
        </environment>
        
        <environment id="user" inherits="base">
          <property name="java.naming.security.principal" value="$USER_DN$"/>
          <property name="java.naming.security.credentials" value="$USER_PW$"/>
        </environment>
        
        <searchUser start="ou=Users,dc=example,dc=com" filter="(uid=$USER_ID$)" returnAttributes="uid" environment="bind"/>
        
        <loginUser environment="user">
          <searchGroups start="ou=Groups,dc=example,dc=com" filter="(memberUid=$USER_ATTR_uid$)" returnAttributes="cn"/>
        </loginUser>
      </userAuthenticator> 
      
      <authorizationStrategy type="additive"/>
       
      <revisionAuthorizer permission="none" operation="VETO">
        <class value="http://www.eclipse.org/emf/CDO/security/4.1.0#//UserPassword"/>
      </revisionAuthorizer>
      
      <revisionAuthorizer permission="write">
        <and>
          <userId value="stepper"/>
          <feature instanceOf="http://www.eclipse.org/emf/CDO/security/4.1.0#//Assignee" key="id" value="administrator" test="contains_ci"/>
        </and>
      </revisionAuthorizer>
      
      <revisionAuthorizer permission="read">
        <ldapGroupAttribute key="cn" value="AMS Users"/>
      </revisionAuthorizer>
      
      <revisionAuthorizer description="Matcher Demo" permission="none" disabled="true">
        <or>
          <sessionProperty key="xyz.special" value="true"/>
          
          <repositoryUuid value="453-524-123"/>
          <repositoryName value="LM_.*" test="regex"/>
          <repositoryPrimary value="true"/>
          <repositoryProperty key="cdo.lm.server.module_name" value=".*_tests" test="regex"/>
          
          <userId value="stepper"/>
          <userId value="AMS.*" test="regex"/>
          <ldapUserDn value="uid=stepper,ou=Users,dc=example,dc=com"/>
          <ldapUserDn value="uid=.*,ou=Users,dc=example,dc=com" test="regex"/>
          <ldapUserAttribute key="uidNumber" value="10015"/>
          <ldapGroupDn value="cn=AMS Users,ou=Groups,dc=example,dc=com"/>
          <ldapGroupAttribute key="cn" value="AMS Users"/>
          
          <contextBranchId value="123" subBranches="true"/>
          <contextBranchName value="MAIN/team15"/>
          <contextHistorical value="true"/>
          
          <id value="4711" test="gte_int"/>
          <instanceOf value="http://omg.org/uml#//StateMachine"/>
          <class value="http://omg.org/uml#//StateMachine" subClasses="true"/>
          <className value=".*Data" test="regex"/>
          <package value="http://www.eclipse.org" subPackages="true"/>
          <packageName value=".*tests" test="regex"/>
          <branchId value="123" subBranches="true"/>
          <branchName value="MAIN/team15"/>
          <feature key="name" value="FlipFlop.*" test="regex"/>
          
          <and id="flipflop">
            <feature key="name" value="FlipFlop"/>
            <not>
              <class value="http://omg.org/uml#//StateChart"/>
              <class value="http://omg.org/uml#//ClassDiagram"/>
              <class value="http://omg.org/uml#//Actor"/>
            </not>
          </and>
          
          <matcher ref="flipflop"/>
        </or>
      </revisionAuthorizer>
    </protector>

@estepper
Copy link
Contributor Author

I know there's much more documentation needed, but time is limited. Please ask if there's something you don't understand.

estepper added a commit that referenced this issue Nov 21, 2023
@estepper
Provide an LDAP integration #32
fb82067
estepper added a commit that referenced this issue Nov 22, 2023
@estepper
Provide an LDAP integration #32
0fdfb22
estepper added a commit that referenced this issue Nov 24, 2023
@estepper
Provide an LDAP integration #32
9d0a700
estepper added a commit that referenced this issue Nov 24, 2023
@estepper
Provide an LDAP integration #32
7149064
estepper added a commit that referenced this issue Nov 27, 2023
@estepper
Provide an LDAP integration #32
1d043a1
estepper added a commit that referenced this issue Nov 28, 2023
@estepper
Provide an LDAP integration #32
50058f7
estepper added a commit that referenced this issue Nov 28, 2023
@estepper
Provide an LDAP integration #32
15f86a9
estepper added a commit that referenced this issue Nov 28, 2023
@estepper
Provide an LDAP integration #32
84b4242
estepper added a commit that referenced this issue Nov 29, 2023
@estepper
Provide an LDAP integration #32
0ff3f97
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@estepper estepper

Labels
cdo-core CDO Model Repository (Core) enhancement New feature or request
Projects
None yet
Milestone
4.25
Development

No branches or pull requests
1 participant
@estepper