Setting Up a Group Membership Check in Access Manager

0 Likes
over 13 years ago

Problem



A Forum reader recently asked:

"I'm trying to set up a reverse proxy with authentication to an eDirectory group. I want to check to see if the user is a member of a group. I have this set up on iChain, but I can't figure out how to do it in Access Manager."

And here is the response from Ben Fjelsted ...

Solution



To base access on LDAP groups, you must first make an "Identity Server: Role" policy for the LDAP group that the user is in. Then you can use that role in a "Access Gateway: Authorization" policy.

Here is an example policy set, exported from one of my configurations. It basically says that:

If LDAP Group: [Current]
Comparison: LDAP Group: Is Member of
Value: LDAP Group: cn=sales,o=novell
Result on Condition Error: False

Do Activate Role:
sales_role

Then it uses this role for the Authorization policy "deny_but_sales".

Remember to enable the role in the Identity Server Configuration under [configuration name] > General > Roles.


<?xml version="1.0" encoding="UTF-8"?>
<!--Sample XML file generated by XMLSpy v2005 rel. 3 U
(http://www.altova.com)-->
<NxpeService xmlns:xpeml="urn:novell:schema:xpeml:1.34:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="./nxpeService.xsd" Revision="0.1">
<xpeml:PolicyCollection schemaVersion="1.34">
<xpeml:PoliciesDefinitionList LastModified="4294967295"
LastModifiedBy="String">
<xpeml:Policy Enable="true"
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1189184590095"
Category="" Name="deny_but_sales" LastModified="1189184619087"
PolicyID="PolicyID_xpemlPEP_AGAuthorization_1189184590095"
DateCreated="4294967295" Description="" DateArchived="4294967295"
LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlPEP_AGAuthorization" />
<xpeml:ConfigurationUsageList />
<xpeml:Rule RuleID="RuleID_1189184590095" RuleOrder="1"
Enable="1" UserInterfaceID="RuleID_1189184590095"
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="1" Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_Permit" />
</xpeml:Action>
</xpeml:ActionList>
<xpeml:ConditionList>
<xpeml:ConditionSet Enable="true" UserInterfaceID="1"
NOT="0" SetOrder="1">
<xpeml:Condition Enable="true" UserInterfaceID="1"
NOT="0" Order="1" ResultOnError="false">
<xpeml:ConditionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlCondition_string" />
<xpeml:OperatorRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="nxpeOperator_string-equals" />
<xpeml:LHSOperand Value="">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_CurrentRoles" />
</xpeml:LHSOperand>
<xpeml:RHSOperand Value="sales_role">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_SelectedRole" />
</xpeml:RHSOperand>
<xpeml:InstanceParameterList>
<xpeml:Parameter Value="case-sensitive"
UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="flags">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="case-sensitive" />
</xpeml:Parameter>
</xpeml:InstanceParameterList>
</xpeml:Condition>
</xpeml:ConditionSet>
</xpeml:ConditionList>
</xpeml:Rule>
<xpeml:Rule RuleID="RuleID_1189184607928" RuleOrder="1"
Enable="true" UserInterfaceID="RuleID_1189184607928"
ConditionCombiningAlgorithm="DNF" Description="" Priority="9">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="1" Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_Deny" />
<xpeml:InstanceParameterList>
<xpeml:ParameterGroup UserInterfaceID="DenyParameters"
EnumerativeValue="2621" GroupName="DenyParameters" Order="1">
<xpeml:Choice
UserInterfaceID="ChoiceID_10_1189184609553" EnumerativeValue="10"
Enabled="false" ChoiceName="DefaultBlockPage" Order="1" />
<xpeml:Choice
UserInterfaceID="ChoiceID_20_1189184609553" EnumerativeValue="20"
Enabled="true" ChoiceName="SendBlockMessage" Order="2">
<xpeml:Parameter
Value="You must be in the Sales group to access this resource."
UserInterfaceID="ParameterID_1_1189184609553" EnumerativeValue="1"
Name="Message" />
</xpeml:Choice>
<xpeml:Choice
UserInterfaceID="ChoiceID_30_1189184609554" EnumerativeValue="30"
Enabled="false" ChoiceName="RedirectToLocation" Order="3">
<xpeml:Parameter Value=""
UserInterfaceID="ParameterID_1_1189184609554" EnumerativeValue="1"
Name="Redirect" />
</xpeml:Choice>
</xpeml:ParameterGroup>
</xpeml:InstanceParameterList>
</xpeml:Action>
</xpeml:ActionList>
</xpeml:Rule>
</xpeml:Policy>
<xpeml:Policy Enable="true"
UserInterfaceID="PolicyID_xpemlPEP_IDPRoles_1189184509646" Category=""
Name="sales_role" LastModified="1189199771488"
PolicyID="PolicyID_xpemlPEP_IDPRoles_1189184509646"
DateCreated="4294967295" Description="" DateArchived="4294967295"
LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlPEP_IDPRoles" />
<xpeml:ConfigurationUsageList />
<xpeml:Rule RuleID="RuleID_1189184509646" RuleOrder="1"
Enable="1" UserInterfaceID="RuleID_1189184509646"
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="ActionID_1189184510593"
Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_AddRole" />
<xpeml:InstanceParameterList>
<xpeml:Parameter Value="sales_role"
UserInterfaceID="AdditionalRole" EnumerativeValue="6601"
Name="AdditionalRole" />
</xpeml:InstanceParameterList>
</xpeml:Action>
</xpeml:ActionList>
<xpeml:ConditionList>
<xpeml:ConditionSet Enable="true" UserInterfaceID="1"
NOT="0" SetOrder="1">
<xpeml:Condition Enable="true" UserInterfaceID="1"
NOT="0" Order="1" ResultOnError="false">
<xpeml:ConditionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlCondition_ldap-group" />
<xpeml:OperatorRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="nxpeOperator_ldap-group-is-member-of" />
<xpeml:LHSOperand Value="">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_LdapGroup" />
</xpeml:LHSOperand>
<xpeml:RHSOperand Value="cn=sales,o=novell">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_SelectedLdapGroup" />
</xpeml:RHSOperand>
</xpeml:Condition>
</xpeml:ConditionSet>
</xpeml:ConditionList>
</xpeml:Rule>
</xpeml:Policy>
</xpeml:PoliciesDefinitionList>
</xpeml:PolicyCollection>
</NxpeService>

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended