How to configure access to cas management using LDAP roles

[Mohamed Amdouni]

Hello,

 

I configured a cas management with : 

mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-properties-file=<pathToProperties files>

I would like to give access using the ldap attribute memberOf instead of hardcoding users in the file "mgmt.user-properties-file".

I mean, if a user is a memeber of the cas-admin ldap group he will be able to access cas management as administrator.

I tried accessStrategy but it does not work and the user should be defined in the property file.

Thanks.

[Ray Bon]

Mohamed,

I have this in my management.properties file

mgmt.authz-attributes[0] = description

In LDAP I have

description: ROLE_ADMIN

I believe the attribute value must be ROLE_ADMIN.

You may be able to remap the value from your ldap group.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Mohamed Amdouni <me.am...@gmail.com>
Sent: 15 July 2024 08:27
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] How to configure access to cas management using LDAP roles

 

You don't often get email from me.am...@gmail.com. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5357c4a0-9b60-4f7b-a1a9-d30ce9d8ac94n%40apereo.org.

[Mohamed Amdouni]

Hi Ray,

Would you explain more please? 

- I have a cas service for the management app including accessStrategy.

- the authentication now happens using cas sso server and returns memberOf attribute which contains the ldap groups. 

- accessStrategy works fine to control roles but requires the userid to be present in aminusers.json 

What I would like to do is to avoid listing all users in the administers.json 

- when I remove mgmt.user-properties-file from the properties cas management does not start because it is required by the AithorizationGenerator bean.

I added the property 

mgmt.authz-attributes[0] = memberOf

But don’t know what to do to avoid listing the users in adminusers.json 

Thanks 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99462A8A828BAB6EE3D8E7E4CEA12%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM.

[Ray Bon]

Mohamed,

My experience is with an older 6.x version; not sure if newer cas management has made any changes to authz.

accessStrategy is a cas side feature; cas management has its own authorization requirements. That is, cas can use accessStrategy to block login to an application, but it cannot override an application's built in authorization.

I have a users.json file but it is empty (cas management needs the file for startup, but can authz with login attribute - mgmt.authz-attributes[0] = ...).

I recall looking at the code for cas management 6.x, and it only checked for ROLE_ADMIN as the attribute value.

If you want to use group membership, you may have to convert it into a new attribute with ROLE_ADMIN as its value https://apereo.github.io/cas/7.0.x/integration/Attribute-Definitions.html

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Mohamed Amdouni <me.am...@gmail.com>

Sent: 16 July 2024 04:37
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] How to configure access to cas management using LDAP roles

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALmwvcaSmfxta4PwghxbuT6P0HtTc0NP%3DwZ1nkzDv%2B4if0JO7A%40mail.gmail.com.