问题
I have liberty profile authentication working with MS Active directory. But I am not able to setup a role mapping to a group.
I have created a security role in my web.xml:
<security-role>
<description>Users who are authorized to do update and insert operations</description>
<role-name>AuthorizedUser</role-name>
</security-role>
And for full WAS with wmm I have mapped the role to a group in ibm-application-bnd.xml which works:
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:defaultWIMFileBasedRealm/CN=mygroup,OU=myorg,DC=mydomain,DC=AD,DC=myco,DC=com"/>
</security-role>
But this is not working with liberty profile.
Do I need to alter the access-id?
回答1:
The accessId must use exactly the same realm name as your user registry is configured to have. For example, if your registry is configured thusly:
<ldapRegistry realm="myLDAPRealm"/>
Then your accessId values must take on the same value
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:myLDAPRealm/..."/>
</security-role>
The default realm name for the LDAP registry is "LdapRegistry", and for reference, the default realm name for the basic registry is "BasicRegistry".
As AJ_R pointed out, you can remove the access-id field entirely and let the access-id be generated automatically. More often than not, specifying the access-id value manually is not necessary.
回答2:
The issue was b/c 'o' != 'O' in "memberOf", I don't think this was case sensitive in TWAS.
Customizing the MS Active directory groupMemberIdMap fixed the group searches:
<activedFilters groupMemberIdMap="memberOf:member"/>
回答3:
Did you use the same realmName (defaultWIMFileBasedRealm) when configuring the MS Active directory? You can also try removing the access-id (just use the group name) and let the liberty server generate it using the relamName defined for the registry to see if that would help.
来源:https://stackoverflow.com/questions/10515232/how-to-map-security-role-to-ldap-group-in-websphere-liberty-profile