Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Security - document active directory #10270

Open
hyperman1 opened this issue Jun 25, 2020 · 1 comment
Open

LDAP Security - document active directory #10270

hyperman1 opened this issue Jun 25, 2020 · 1 comment
Labels
kind/enhancement New feature or request

Comments

@hyperman1
Copy link

If all these are fixed, you might want to document how to use active directory with the ldap plug in.

#10110 - setRecursive
#10258 - same ldap quary multiple times
#10259 - config can differ between dev and prod
#10264 - group to role mapping
#10267 - cache ldap results

Here is an example for application.properties:

    quarkus.security.ldap.enabled=true
    quarkus.security.ldap.realm-name=somename
    quarkus.security.ldap.direct-verification=true
    
    #Use a tool as dsquery or adexplorer to find out how your dn's are organized
    quarkus.security.ldap.dir-context.principal=CN=Some_account,OU=Services,OU=Accounts,OU=MainOffice,OU=Departments,DC=example,DC=com
    #Choose ldap:// or ldaps:// and choose theport number based on normal or global catalog
    quarkus.security.ldap.dir-context.url=ldap://activedirectoryserver.example.com:3268
    quarkus.security.ldap.dir-context.password=Password for Some_account
    #I only tested sAMAccountName, but userPrincipalName might also be a good choice
    quarkus.security.ldap.identity-mapping.rdn-identifier=sAMAccountName
    #The deepest OU shared by all employees
    quarkus.security.ldap.identity-mapping.search-base-dn=OU=Departments,DC=example,DC=com
    
    #map the common name from a filter to the 'groups' attribute
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".from=cn
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".to=groups
    #This filter searches for all groups that have your dn as member. 
    #Most important is (member:1.2.840.113556.1.4.1941:={1})
    # which returns all groups (recursively) that have the cn {1} as member 
    #As this might be extremely slow, we limit the filter to only the groups that are of interest for this application
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter=(&(|(CN=GROUP1)(CN=GROUP2)(CN=more groups as needed here)(member:1.2.840.113556.1.4.1941:={1}))
    #The deepest OU shared by all security groups
    quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter-base-dn=OU=Departments,DC=example,DC=com


    #Now you'll need a mechanism to map groups to roles, which does not exist in quarkus today.  
    #Check https://github.com/quarkusio/quarkus/issues/10264 for the correct syntax
    quarkus.security.grouptorole.GROUP1=user
    quarkus.security.grouptorole.GROUP2=user,admin
@hyperman1 hyperman1 added the kind/enhancement New feature or request label Jun 25, 2020
@joel-rv
Copy link

joel-rv commented Jul 29, 2024

👀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hyperman1 @joel-rv