Hi,
I try to understand if it is possible and when yes, how:
The app is using LDAP security.
I can login using the ldap user, works fine.
But, I want to set up the system in that way, that it automatically
maps user to an existing role in Jmix, based on the LDAP groups,
the user is member of.
I went through the Ldap docs, but cannot see how to do it.
Regards
Roland
Hi Maxim,
now I found the time to work on that…
I followed the instructions to create the bean like documented:
@Component(“l_CustomAuthorityMapperBean”)
public class CustomAuthorityMapperBean implements LdapAuthorityToJmixRoleCodesMapper …
But, when I run the app, it never steps into the mapAuthorityToJmixRoleCodes method.
What could I have been missing?
The app connects to the Ldap and I can login using my Ldap account/credentials.
Next would be to align the groups I am a member of in the Ldap to the JMIX roles.
Is there any other setting that might avoid the app from stepping into the mapAuthorityToJmixRoleCodes method?
Regards
Roland
found the ldap demo app…
will check if that one works for us like expected…
no, cannot get it working in any way…
what ever I try, it does step into the method…
additional information is needed about the expected setup to get it working…
getting more and more confused…
in the docu for v 1.5 I see
Optionally user roles can be added based on their own attributes. This can be implemented by overriding the getAdditionalRoles() method of AbstractLdapUserDetailsSynchronizationStrategy .
But that method does not exist anywhere
Hi Roland,
It seems that there is an error in the docs. As I see the getAdditionalRoles method must be implemented in a Spring Bean that implements the LdapUserAdditionalRoleProvider interface, e.g.
@Component("demo_MyLdapUserAdditionalRoleProvider")
public class MyLdapUserAdditionalRoleProvider implements LdapUserAdditionalRoleProvider {
@Override
public Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, String username) {
return new HashSet<>();
}
}
Here is the sample project that just follows the Getting Started guide from Jmix docs.
jmix-ldap-demo.zip (89.8 KB)
in this project you may find the CustomAuthorityMapperBean that works and the LdapUserAdditionalRoleProvider that is also being invoked.
thx!
The demo works 50% for me…
1 thing I needed to change is:
jmix.ldap.user-search-filter = (&(objectClass=user)(sAMAccountName={0}))
when login with ldap user I see that getAdditionalRoles gets called…
I can think about how to use that to add additional roles…
but what is still not working, is the mapperbean…
public Collection mapAuthorityToJmixRoleCodes(String authority) {
System.out.println(“mapper bean”);
It never comes to that System.out
There is one more information:
The underlying ldap is an AD.
When I use jmix.ldap.use-active-directory-configuration = false
I can authenticate against the ldap
But when I use jmix.ldap.use-active-directory-configuration = true
I cannot even authenticate… I tested different user-search-filter… does not help
The only way to authenticate is to use active-directory-configuration = false
So, again… blocked…
I can get the colleciton of AD groups in the CustomUserSynchronizationStrategy,
but have no idea to get that collection to be automated mapped to jmix roles…
That automated mapping of Jmix roles with AD groups the user is member of, that is what really would help…
If we can’t get that working,
I would need to assign the roles to the user manually …
Works for apps with just a few users, but we also have apps with hundreds of users
Hi Maxim,
I can imagine that you have a lot to do with the new 2.0 version…
So, would there be anybody else I could ask?
Regards
Roland
Sorry, but I don’t know how else I can help you. I’ve just tried again the sample above. I’ve modified it for working with my company AD domain. I had an application.properties file like this one:
jmix.ldap.use-active-directory-configuration=true
jmix.ldap.user-search-filter=(&(objectClass=user)(sAMAccountName={1}))
jmix.ldap.active-directory-domain=mycompany.com
jmix.ldap.urls=ldaps://dc.mycompany.com:636/
jmix.ldap.base-dn=<some_base_dn>
jmix.ldap.manager-dn=<manager_dn>
jmix.ldap.manager-password=<manager_password>
BTW, did you set the jmix.ldap.active-directory-domain property? How do you enter the username on the login page: just “someuser” or “someuser@somedomain”?
When I authenticate with AD user, I see that execution comes to the com.company.demo.ldap.CustomAuthorityMapperBean#mapAuthorityToJmixRoleCodes
You may see the stacktrace (from which methods it was invoked) on my screenshot
You can debug it on your side and try to find “the difference”.
The “authority” value there is a name of the user group in the AD (the memberOf attribute). By default group name is mapped to jmix role “as is”. You can always put a breakpoint in the io.jmix.ldap.userdetails.AbstractLdapUserDetailsSynchronizationStrategy#synchronizeUserDetails and see what happens.
Also, it seems that LdapUserAdditionalRoleProvider doesn’t work for AD authentication. I’ve created an issue for that.
thx… will go through it and try to find out the missing link
Hi Maxim,
found the root cause of the issue:
In the AD there is another domain used for authentification then beeing used
i.e. in the mail address or the internal URLs…
I needed to use that ‘hidden’ domain name in the application.properties.
After that I could activate the AD configuration setting and could
authenticate and then the mapper bean also got called.
Thank you very much for the help!!!
Kind regards
Roland