This repository has been archived by the owner on Jan 9, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
OpenLDAP
connaryscott edited this page Jul 25, 2012
·
22 revisions
Wiki ▸ User guide ▸ OpenLDAP
This setup is based on the following ldap domain specific configuration:
Root DC: dc=dtolabs,dc=com
User Search Base: ou=People,dc=dtolabs,dc=com
Roles Search Base: ou=roles,dc=dtolabs,dc=com
Root DN: cn=Manager,dc=dtolabs,dc=com
Root DN Password: secret
LDAP Url: ldap://localhost:389
where Grails/Spring Security will be used to authenticate and authorize to the OpenLDAP Server where Yana is running within a Tomcat Container.
Additionally, Tomcat configured on the following ports are assumed:
http: 8080
https: 8443
#yana user role
dn: cn=ROLE_YANA_USER,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword: {crypt}x
gidNumber: 1003
cn: ROLE_YANA_USER
#yana admin role
dn: cn=ROLE_YANA_ADMIN,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword: {crypt}x
gidNumber: 1004
cn: ROLE_YANA_ADMIN
#yana architect role
dn: cn=ROLE_YANA_ARCHITECT,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword: {crypt}x
gidNumber: 1005
cn: ROLE_YANA_ARCHITECT
#yana superuser role
dn: cn=ROLE_YANA_SUPERUSER,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword: {crypt}x
gidNumber: 1006
cn: ROLE_YANA_SUPERUSER
#all passwords set to: Gr0uch0M@rx
dn: uid=rfirefly,ou=People,dc=dtolabs,dc=com
uid: rfirefly
cn: Rufus Firefly
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: Gr0uch0M@rx
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/rfirefly
dn: uid=tspaulding,ou=People,dc=dtolabs,dc=com
uid: tspaulding
cn: Captain Spaulding
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: Gr0uch0M@rx
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/tspaulding
dn: uid=odriftwood,ou=People,dc=dtolabs,dc=com
uid: odriftwood
cn: Otis Driftwood
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: Gr0uch0M@rx
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5002
gidNumber: 5002
homeDirectory: /home/odriftwood
Where
rfirefly is a SUPERUSER, ADMIN, and USER
tspaulding is a USER
odriftwood is a USER
dn: cn=ROLE_YANA_ARCHITECT,ou=roles,dc=dtolabs,dc=com
changetype: modify
add: memberUid
memberUid: rfirefly
dn: cn=ROLE_YANA_ADMIN,ou=roles,dc=dtolabs,dc=com
changetype: modify
add: memberUid
memberUid: rfirefly
dn: cn=ROLE_YANA_USER,ou=roles,dc=dtolabs,dc=com
changetype: modify
add: memberUid
memberUid: rfirefly
dn: cn=ROLE_YANA_USER,ou=roles,dc=dtolabs,dc=com
changetype: modify
add: memberUid
memberUid: tspaulding
dn: cn=ROLE_YANA_USER,ou=roles,dc=dtolabs,dc=com
changetype: modify
add: memberUid
memberUid: odriftwood
The following ldapsearch:
ldapsearch -w secret -b dc=dtolabs,dc=com -x -Dcn=Manager,dc=dtolabs,dc=com
yields:
# extended LDIF
#
# LDAPv3
# base <dc=dtolabs,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# dtolabs.com
dn: dc=dtolabs,dc=com
objectClass: dcObject
objectClass: organization
o: dtolabs.com
dc: dtolabs
# People, dtolabs.com
dn: ou=People,dc=dtolabs,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
# roles, dtolabs.com
dn: ou=roles,dc=dtolabs,dc=com
objectClass: organizationalUnit
objectClass: top
ou: roles
# rfirefly, People, dtolabs.com
dn: uid=rfirefly,ou=People,dc=dtolabs,dc=com
uid: rfirefly
cn: Rufus Firefly
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/rfirefly
userPassword:: R3IwdWNoME1Acng=
# tspaulding, People, dtolabs.com
dn: uid=tspaulding,ou=People,dc=dtolabs,dc=com
uid: tspaulding
cn: Captain Spaulding
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/tspaulding
userPassword:: R3IwdWNoME1Acng=
# odriftwood, People, dtolabs.com
dn: uid=odriftwood,ou=People,dc=dtolabs,dc=com
uid: odriftwood
cn: Otis Driftwood
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5002
gidNumber: 5002
homeDirectory: /home/odriftwood
userPassword:: R3IwdWNoME1Acng=
# ROLE_YANA_USER, roles, dtolabs.com
dn: cn=ROLE_YANA_USER,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword:: e2NyeXB0fXg=
gidNumber: 1003
cn: ROLE_YANA_USER
memberUid: rfirefly
memberUid: tspaulding
memberUid: odriftwood
# ROLE_YANA_ADMIN, roles, dtolabs.com
dn: cn=ROLE_YANA_ADMIN,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword:: e2NyeXB0fXg=
gidNumber: 1004
cn: ROLE_YANA_ADMIN
memberUid: rfirefly
# ROLE_YANA_ARCHITECT, roles, dtolabs.com
dn: cn=ROLE_YANA_ARCHITECT,ou=roles,dc=dtolabs,dc=com
objectClass: top
objectClass: posixGroup
userPassword:: e2NyeXB0fXg=
gidNumber: 1005
cn: ROLE_YANA_ARCHITECT
memberUid: rfirefly
Add the following configuration to the Grails config.groovy file:
grails {
plugins {
springsecurity {
portMapper {
httpPort = "8080"
httpsPort = "8443"
}
userLookup {
userDomainClassName = "com.dtolabs.User"
authorityJoinClassName = "com.dtolabs.UserRole"
}
authority {
className = "com.dtolabs.Role"
}
ldap {
context {
managerDn = "cn=Manager,dc=dtolabs,dc=com"
managerPassword = "secret"
server = "ldap://localhost:389"
}
authorities {
groupSearchBase = "ou=roles,dc=dtolabs,dc=com"
groupSearchFilter = "memberUid={1}"
retrieveGroupRoles = "true"
}
search {
searchSubtree = "true"
base = "dc=dtolabs,dc=com"
}
}
}
}
}