Related Tips & Info

Setting Up a Group Membership Check in Access Manager

MigrationDeletedUser
0 Likes

Problem



A Forum reader recently asked:

"I'm trying to set up a reverse proxy with authentication to an eDirectory group. I want to check to see if the user is a member of a group. I have this set up on iChain, but I can't figure out how to do it in Access Manager."

And here is the response from Ben Fjelsted ...

Solution



To base access on LDAP groups, you must first make an "Identity Server: Role" policy for the LDAP group that the user is in. Then you can use that role in a "Access Gateway: Authorization" policy.

Here is an example policy set, exported from one of my configurations. It basically says that:

If LDAP Group: [Current]
Comparison: LDAP Group: Is Member of
Value: LDAP Group: cn=sales,o=novell
Result on Condition Error: False

Do Activate Role:
sales_role

Then it uses this role for the Authorization policy "deny_but_sales".

Remember to enable the role in the Identity Server Configuration under [configuration name] > General > Roles.


<?xml version="1.0" encoding="UTF-8"?>
<!--Sample XML file generated by XMLSpy v2005 rel. 3 U 
(http://www.altova.com)-->
<NxpeService xmlns:xpeml="urn:novell:schema:xpeml:1.34:policy" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="./nxpeService.xsd" Revision="0.1">
   <xpeml:PolicyCollection schemaVersion="1.34">
     <xpeml:PoliciesDefinitionList LastModified="4294967295" 
LastModifiedBy="String">
       <xpeml:Policy Enable="true" 
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" 
Category="" Name="deny_but_sales" LastModified="1189184619087" 
PolicyID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" 
DateCreated="4294967295" Description="" DateArchived="4294967295" 
LastModifiedBy="cn=admin,o=novell">
         <xpeml:PolicyEnforcementPointRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlPEP_AGAuthorization" />
         <xpeml:ConfigurationUsageList />
         <xpeml:Rule RuleID="RuleID_1189184590095" RuleOrder="1" 
Enable="1" UserInterfaceID="RuleID_1189184590095" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="1" Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_Permit" />
             </xpeml:Action>
           </xpeml:ActionList>
           <xpeml:ConditionList>
             <xpeml:ConditionSet Enable="true" UserInterfaceID="1" 
NOT="0" SetOrder="1">
               <xpeml:Condition Enable="true" UserInterfaceID="1" 
NOT="0" Order="1" ResultOnError="false">
                 <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlCondition_string" />
                 <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="nxpeOperator_string-equals" />
                 <xpeml:LHSOperand Value="">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_CurrentRoles" />
                 </xpeml:LHSOperand>
                 <xpeml:RHSOperand Value="sales_role">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_SelectedRole" />
                 </xpeml:RHSOperand>
                 <xpeml:InstanceParameterList>
                   <xpeml:Parameter Value="case-sensitive" 
UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="flags">
                     <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="case-sensitive" />
                   </xpeml:Parameter>
                 </xpeml:InstanceParameterList>
               </xpeml:Condition>
             </xpeml:ConditionSet>
           </xpeml:ConditionList>
         </xpeml:Rule>
         <xpeml:Rule RuleID="RuleID_1189184607928" RuleOrder="1" 
Enable="true" UserInterfaceID="RuleID_1189184607928" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="9">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="1" Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_Deny" />
               <xpeml:InstanceParameterList>
                 <xpeml:ParameterGroup UserInterfaceID="DenyParameters" 
EnumerativeValue="2621" GroupName="DenyParameters" Order="1">
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_10_1189184609553" EnumerativeValue="10" 
Enabled="false" ChoiceName="DefaultBlockPage" Order="1" />
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_20_1189184609553" EnumerativeValue="20" 
Enabled="true" ChoiceName="SendBlockMessage" Order="2">
                     <xpeml:Parameter 
Value="You must be in the Sales group to access this resource." 
UserInterfaceID="ParameterID_1_1189184609553" EnumerativeValue="1" 
Name="Message" />
                   </xpeml:Choice>
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_30_1189184609554" EnumerativeValue="30" 
Enabled="false" ChoiceName="RedirectToLocation" Order="3">
                     <xpeml:Parameter Value="" 
UserInterfaceID="ParameterID_1_1189184609554" EnumerativeValue="1" 
Name="Redirect" />
                   </xpeml:Choice>
                 </xpeml:ParameterGroup>
               </xpeml:InstanceParameterList>
             </xpeml:Action>
           </xpeml:ActionList>
         </xpeml:Rule>
       </xpeml:Policy>
       <xpeml:Policy Enable="true" 
UserInterfaceID="PolicyID_xpemlPEP_IDPRoles_1189184509646" Category="" 
Name="sales_role" LastModified="1189199771488" 
PolicyID="PolicyID_xpemlPEP_IDPRoles_1189184509646" 
DateCreated="4294967295" Description="" DateArchived="4294967295" 
LastModifiedBy="cn=admin,o=novell">
         <xpeml:PolicyEnforcementPointRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlPEP_IDPRoles" />
         <xpeml:ConfigurationUsageList />
         <xpeml:Rule RuleID="RuleID_1189184509646" RuleOrder="1" 
Enable="1" UserInterfaceID="RuleID_1189184509646" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="ActionID_1189184510593" 
Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_AddRole" />
               <xpeml:InstanceParameterList>
                 <xpeml:Parameter Value="sales_role" 
UserInterfaceID="AdditionalRole" EnumerativeValue="6601" 
Name="AdditionalRole" />
               </xpeml:InstanceParameterList>
             </xpeml:Action>
           </xpeml:ActionList>
           <xpeml:ConditionList>
             <xpeml:ConditionSet Enable="true" UserInterfaceID="1" 
NOT="0" SetOrder="1">
               <xpeml:Condition Enable="true" UserInterfaceID="1" 
NOT="0" Order="1" ResultOnError="false">
                 <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlCondition_ldap-group" />
                 <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="nxpeOperator_ldap-group-is-member-of" />
                 <xpeml:LHSOperand Value="">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_LdapGroup" />
                 </xpeml:LHSOperand>
                 <xpeml:RHSOperand Value="cn=sales,o=novell">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_SelectedLdapGroup" />
                 </xpeml:RHSOperand>
               </xpeml:Condition>
             </xpeml:ConditionSet>
           </xpeml:ConditionList>
         </xpeml:Rule>
       </xpeml:Policy>
     </xpeml:PoliciesDefinitionList>
   </xpeml:PolicyCollection>
</NxpeService>

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.