How Do I Configure the Security Plug-In For LDAP

[beth.w...@gmail.com]

Hi,

 

I have an OWF version 7 instance setup and would like to investigate using LDAP for authentication and authorization.  My goal is to lookup a user based on a PKI certificate in LDAP to allow/disallow login to OWF.  Then I would like to be able to use LDAP when developing a widget to determine authorizations.

 

I don't see much in the way of instructions on how to implement this.  Does anyone have suggestions on where I can find good detailed instructions, or has anyone ever implemented LDAP security?  Any advice or knowledge would be greatly appreciated.

 

Thanks,

Beth

[Ross Pokorny]

Beth

OWF ships with several sample configurations for the security plugin, located
in the owf-security folder within the bundle. you will find that several of
these samples use an LDAP backend. While the samples are specifically set up
to work with a particular LDAP schema, they can serve as a good jumping-off
point for creating a configuration that will work in your environment.

It would probably be a good idea for you to read the spring security
documentation regarding LDAP, which can be found here:
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ldap.html

Ross Pokorny
OZONE Developer

[beth.w...@gmail.com]

Ross,

 

Thanks for the site.  I have read through the page, and it looks like the authorizations to look up in LDAP are the ROLE_USER and ROLE_ADMIN to determine how to login to OWF.  Is this correct?  Our LDAP is tailored to different projects, we have custom LDAP fields to store the privileges allowed on objects for that project.  So will a developer of an OWF widget need to write custom code to search LDAP for these custom fields and have the widget behave accordingly?

 

Thanks,

Beth

[Tina Coleman]

If you're talking about widget behavior, rather than OWF login behavior, then yes, the developer will need to write custom code.  The security plugin for OWF handles authentication and authorization decisions for OWF itself, but not for the widgets.  ROLE_ADMIN and ROLE_USER are the authorizations that OWF requires.

To handle the general-purpose question of how you'd map a different LDAP schema's information into something OWF can handle, take a look at the UserDetailsContextMapper information provided here: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#ldap-custom-user-details

Tina Coleman

NEXTCENTURYCORPORATION
7075 Samuel Morse Drive, Suite 250 | Columbia, MD 21046
m 443.545.3100 | f 443.285.0799 |www.nextcentury.com
 

---

From: ozonepla...@googlegroups.com <ozonepla...@googlegroups.com> on behalf of beth.w...@gmail.com <beth.w...@gmail.com>
Sent: Thursday, December 18, 2014 11:04 AM
To: ozonepla...@googlegroups.com
Subject: Re: How Do I Configure the Security Plug-In For LDAP

 

[Ross Pokorny]

Beth

OWF's security plugin only serves the OWF container itself, not the widgets
running within OWF. The widgets, being separate web applications, will need
to handle their own auth & auth concerns, though they are certainly free to
use the same LDAP backend, and possibly their own copy of some of the same
security code, as OWF.

You are correct that OWF itself expects ROLE_USER and ROLE_ADMIN roles to be
provided by the security plugin. This does not however mean that you have to
store your role information in that exact format within LDAP. You can store
it however you'd like, as long as you write/configure the security plugin to
translate the stored information into ROLE_USER and ROLE_ADMIN.

Ross Pokorny
OZONE Developer

[beth.w...@gmail.com]

Tina,

 

Thanks for the information, this is what I thought about the widgets themselves, but wanted to make sure.

 

Thanks,

Beth

[beth.w...@gmail.com]

Ross,

 

Thanks for the reply explaining about the widgets.

 

Beth

[beth.w...@gmail.com]

Ross,

 

One more question, we are currently implementing extensions to the UserDetailsService, OWFUserDetails, and OWFGroup classes.  The "loadUserByUsername" method checks our LDAP to see if the user is valid, and retrieves several pieces of information including group names.  With this method, I see that users successfully logged in are automatically added as OWF users.  If I were to implement the configuration method outlined in the site you provided to me, are users in the LDAP also automatically added to OWF?

 

Thanks,

Beth

[Ross Pokorny]

> I see that users successfully logged in are automatically
> added as OWF users.

Are you referring to the user records which are added to the OWF database, and
which are viewable in the OWF admin tools?

If so, to answer your question, any user who successfully logs in will have
their information provided to OWF by the security plugin at that time. OWF
will then make a record in its database for that user, and it will update that
record each further time that they log in. This happens regardless of the
backend used by the security plugin. There is not a mechanism in place to
automatically add all users from LDAP to the OWF database in one pass. It
only does it for each user as they log in.

Ross Pokorny
OZONE Developer

[beth.w...@gmail.com]

Ross,

 

Yes to your first question, and that's how I thought it worked, wanted to verify.

 

Thanks for all the help!

 

Beth