Configuring authorization by using LDAP groups
Authorize roles in App Connect Enterprise against a Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS) server.
Before you begin
About this task
You can grant and revoke administration authority for an integration node and for each of its managed integration servers. You can also grant and revoke administration authority for an independent integration server that is not managed by an integration node. You can do these tasks by configuring LDAP authorization for specified groups or attributes in LDAP to specified roles in App Connect Enterprise. You can configure the authorization by setting properties in the node.conf.yaml file for the integration node, or the server.conf.yaml file for the integration server.
LDAP authorization can be applied only to LDAP authenticated users. LDAP users must belong to one or more LDAP groups, or have one or more LDAP attributes that map to roles in App Connect Enterprise, with appropriate access to the admin REST API. Roles in App Connect Enterprise are granted read, write, or execute permissions for objects in integration nodes or independent integration servers (which are not managed by an integration node). For more information, see Role-based security. LDAP users can belong to a single LDAP group that can be mapped to a single role in App Connect Enterprise, or multiple LDAP groups that can be mapped to multiple roles in App Connect Enterprise. An LDAP authenticated user's LDAP attributes can also be used to map to roles in App Connect Enterprise.
Configure LDAP authorization by completing the following steps.
Procedure
You now have options on how to configure LDAP authorization.
- Authorize a single LDAP group to have a role in App Connect Enterprise. See step 9.
- Authorize multiple LDAP groups to have roles in App Connect Enterprise. See step 10.
- Authorize an LDAP authenticated user's LDAP attributes to have a role in App Connect Enterprise. See step 11.
Example
LdapAuthorizeAttributeToRoleMap
, the LDAP group developers
is
mapped to the role supportRole
in App Connect Enterprise. The
section Permissions
includes some further examples of roles that are defined in App Connect Enterprise. For example, the role manager
is defined with
read permission.
# Admin Security
# Authentication
basicAuth: true
ldapUrl: 'ldap://localhost:10389/ou=users,o=ace?cn?sub'
#ldapBindDn: ldap::adminAuthentication
#ldapBindPassword: ldap::adminAuthentication
# Authorization
authorizationEnabled: true # Clients web user role will be authorized when set true
authorizationMode: 'ldap' # Set authorization mode. Choose 1 of : ldap, file or mq
ldapAuthorizeUrl: 'ldap://localhost:10389/o=users,ou=ace?description?sub?(member={{dn}})'
#ldapAuthorizeUrl: 'ldap://localhost:10389/o=groups,ou=ace?employeeType?sub?(cn={{username}})'
Security:
LdapAuthorizeAttributeToRoleMap:
'graham': 'adminRole' # (user mapped to role)
'martin': 'viewRole' # (user mapped to role)
'DB_ADMIN':'adminRole' # (field mapped to role)
'NETWORK_ADMIN':'viewRole' # (field mapped to role)
'o=AceViewersGroup',o=groups,ou=ace': 'viewRole' # (group mapped to role)
'o=AceAdminsGroup',o=groups,ou=ace': 'viewRole' # (group mapped to role)
'administrators':'adminRole'
'developers': 'supportRole'
'managers': 'viewRole'
Permissions:
# Set Admin Security Authorization file permissions by web user role using 'read+:write+:execute+' , or 'all+'
# '+' grants permission, '-' denies permission
# e.g. define the following web user roles 'viewRole' and 'adminRole'
viewRole: 'read+:write-:execute-'
adminRole: 'all+'
supportRole:'read+:write-:execute+'
#manager: 'read+:write-:execute-'
#administrator:'all+'
#developer: 'read+:write-:execute+'
Server:
# Set Admin Security Authorization file permissions for each named Integration Server
#server01:
#Permissions:
viewRole: 'read+:write-:execute-'
adminRole: 'all+'
#server02:
#Permissions:
viewRole: 'read+:write-:execute+'
adminRole: 'all+'