modifying default roles names for ldap
219 views
Skip to first unread message
dodizzle
Sep 7, 2010, 2:11:13 PM9/7/10
to psi-probe-discuss
We use ldap to authenticate users, specifically we put users in either
the manager or probeuser group.
This works great except that we would like to create a different group
for the manager role in production.
I've tried editing the web.xml file and changing the manager role to
prodmanager which is an existing group in our ldap.
It allows me to login but I get a 403 when attempting to access any of
the pages.
How do I modify the default role names that lambda uses when
performing lookups in ldap?
the manager or probeuser group.
This works great except that we would like to create a different group
for the manager role in production.
I've tried editing the web.xml file and changing the manager role to
prodmanager which is an existing group in our ldap.
It allows me to login but I get a 403 when attempting to access any of
the pages.
How do I modify the default role names that lambda uses when
performing lookups in ldap?
Mark
Sep 7, 2010, 2:57:33 PM9/7/10
to psi-probe-discuss
Unfortunately, much of PSI Probe depends on Tomcat's inner workings,
and I'm pretty sure the role name of "manager" is fixed.
It sounds like you want to have two groups of managers, with each one
covering a different set of servers, in the same LDAP directory. We
had a similar situation in my workplace, and there is a way to do it.
What we ended up doing was creating two groups with separate names
(e.g. devmanager and prodmanager). Then we gave each role the
*description* of "manager." From there, we edited the Realm in
server.xml to set the roleName attribute to "description." This way,
Tomcat will pull the role name from the "description" attribute
instead of "cn" (the default).
Finally, to make sure that the "devmanager" roll can't access the
production servers, we excluded it by changing the roleSearch
attribute on our production servers to this:
(&(!(cn=devmanager))(member={0}))
Hope this helps!
Reference: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
and I'm pretty sure the role name of "manager" is fixed.
It sounds like you want to have two groups of managers, with each one
covering a different set of servers, in the same LDAP directory. We
had a similar situation in my workplace, and there is a way to do it.
What we ended up doing was creating two groups with separate names
(e.g. devmanager and prodmanager). Then we gave each role the
*description* of "manager." From there, we edited the Realm in
server.xml to set the roleName attribute to "description." This way,
Tomcat will pull the role name from the "description" attribute
instead of "cn" (the default).
Finally, to make sure that the "devmanager" roll can't access the
production servers, we excluded it by changing the roleSearch
attribute on our production servers to this:
(&(!(cn=devmanager))(member={0}))
Hope this helps!
Reference: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
David O'Dell
Sep 20, 2010, 12:43:28 PM9/20/10
to psi-prob...@googlegroups.com
Forgot to thank you for this solution.
We deployed this solution and both our development and production
environments are working as planned.
We deployed this solution and both our development and production
environments are working as planned.
> --
> You received this message because you are subscribed to the "psi-probe-discuss" Google Group.
>
> To post to this group, send email to:
> psi-prob...@googlegroups.com
>
> To unsubscribe from this group, send email to:
> psi-probe-disc...@googlegroups.com
>
> For more options, visit this group at:
> http://groups.google.com/group/psi-probe-discuss?hl=en
Mark
Sep 20, 2010, 1:34:29 PM9/20/10
to psi-probe-discuss
Glad to hear it!
asgher ali
Apr 9, 2014, 8:07:16 PM4/9/14
to psi-prob...@googlegroups.com
Hi MArk,
I have a kind of similar situation,what I am trying to do is,only disable start/stop functionality for a manager user,I dont want to give server start/stop functionality,except that ,I want every other feature of manager role.
Appreciate your help on this.
Thanks in advance.
Regards
Asgher Ali Shaik
Mark
Apr 10, 2014, 5:15:26 PM4/10/14
to psi-prob...@googlegroups.com
If you're familiar with Spring Security, you can edit the /WEB-INF/spring-probe-security.xml in your probe.war file to adjust the URL permissions however you like.
Tristan Miral
May 28, 2018, 9:31:16 AM5/28/18
to psi-probe-discuss
Hi all,
I know this thread is already old, but can you help me out how to authentication psi-probe using ldap?. i tried all to edit all my config in server.xml and web.xm but i dont authenticate using LDAP connection.
Reply all
Reply to author
Forward
0 new messages