2
votes

I would like to map automatically wso2 application roles to existing LDAP groups from an Active Directory.

Example:

  • internal wso2 role admin is given to users resolved as
    • (&(objectClass=user) (memberOf=administrators)) in DC=acme,DC=com
  • internal wso2 role publisher is given to users resolved as
    • (&(objectClass=user) (memberOf=developers)) in DC=acme,DC=com
  • ... etc

So no provisioning to do, and role mapping has not to be done manually by the wso2 administrator. To give a user access to an interface, we just have to add the user in the right AD group (or AD mailing list, even easier).

This king of mapping is used in Nexus Sonatype (using the apache Shiro library). https://books.sonatype.com/nexus-book/reference/ldap-sect-external-role-mapping-config.html

Is it possible to do that in WSO2?

Is it a requested feature?

Best regards

1
Do you found any solution of this problem?inem88
Have you tried to assign the wso2 internal permission to the ldap roles: Users and Roles -> List -> Roles -> (filter roles by your secondary user store roles) -> choose your ldap group/role -> Permissions -> Assign the role the (internal) publisher permissionMiddlewareManiac

1 Answers

0
votes

What you can do is use the role which already exists in the LDAP as itself. In the WSO2 server side, just assign the necessary permissions to that role.

For example, admin role name is defined in the /repository/conf/user-mgt.xml file as below.

        <AddAdmin>true</AddAdmin>
        <AdminRole>admin</AdminRole>
        <AdminUser>
            <UserName>admin</UserName>
            <Password>admin</Password>
        </AdminUser>`

Here, replace the AdminRole value with the role name that already exists in the LDAP side. Upon the first startup of the server, WSO2 will map all the admin permissions to the mentioned role.

For other roles, you can view the existing roles from the Management Console and assign required permissions to them there.

Hope this helps. Cheers