Article
Suchen
Shameless Plugs
Most Popular
Who's online
There are currently 5 users and 120 guests online.
Online users
- Anonymous
- Anonymous
- Aravanan
- Anonymous
- Anonymous
User login
article
Reads:
4023
Score:
Setting Up a Group Membership Check in Access Manager
Problem
A Forum reader recently asked:
"I'm trying to set up a reverse proxy with authentication to an eDirectory group. I want to check to see if the user is a member of a group. I have this set up on iChain, but I can't figure out how to do it in Access Manager."
And here is the response from Ben Fjelsted ...
Solution
To base access on LDAP groups, you must first make an "Identity Server: Role" policy for the LDAP group that the user is in. Then you can use that role in a "Access Gateway: Authorization" policy.
Here is an example policy set, exported from one of my configurations. It basically says that:
If LDAP Group: [Current]
Comparison: LDAP Group: Is Member of
Value: LDAP Group: cn=sales,o=novell
Result on Condition Error: False
Do Activate Role:
sales_role
Then it uses this role for the Authorization policy "deny_but_sales".
Remember to enable the role in the Identity Server Configuration under [configuration name] > General > Roles.
<?xml version="1.0" encoding="UTF-8"?> <!--Sample XML file generated by XMLSpy v2005 rel. 3 U (http://www.altova.com)--> <NxpeService xmlns:xpeml="urn:novell:schema:xpeml:1.34:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="./nxpeService.xsd" Revision="0.1"> <xpeml:PolicyCollection schemaVersion="1.34"> <xpeml:PoliciesDefinitionList LastModified="4294967295" LastModifiedBy="String"> <xpeml:Policy Enable="true" UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" Category="" Name="deny_but_sales" LastModified="1189184619087" PolicyID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" DateCreated="4294967295" Description="" DateArchived="4294967295" LastModifiedBy="cn=admin,o=novell"> <xpeml:PolicyEnforcementPointRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlPEP_AGAuthorization" /> <xpeml:ConfigurationUsageList /> <xpeml:Rule RuleID="RuleID_1189184590095" RuleOrder="1" Enable="1" UserInterfaceID="RuleID_1189184590095" ConditionCombiningAlgorithm="DNF" Description="" Priority="0"> <xpeml:ActionList> <xpeml:Action UserInterfaceID="1" Order="1"> <xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_Permit" /> </xpeml:Action> </xpeml:ActionList> <xpeml:ConditionList> <xpeml:ConditionSet Enable="true" UserInterfaceID="1" NOT="0" SetOrder="1"> <xpeml:Condition Enable="true" UserInterfaceID="1" NOT="0" Order="1" ResultOnError="false"> <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlCondition_string" /> <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="nxpeOperator_string-equals" /> <xpeml:LHSOperand Value=""> <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_CurrentRoles" /> </xpeml:LHSOperand> <xpeml:RHSOperand Value="sales_role"> <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_SelectedRole" /> </xpeml:RHSOperand> <xpeml:InstanceParameterList> <xpeml:Parameter Value="case-sensitive" UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="flags"> <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="case-sensitive" /> </xpeml:Parameter> </xpeml:InstanceParameterList> </xpeml:Condition> </xpeml:ConditionSet> </xpeml:ConditionList> </xpeml:Rule> <xpeml:Rule RuleID="RuleID_1189184607928" RuleOrder="1" Enable="true" UserInterfaceID="RuleID_1189184607928" ConditionCombiningAlgorithm="DNF" Description="" Priority="9"> <xpeml:ActionList> <xpeml:Action UserInterfaceID="1" Order="1"> <xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_Deny" /> <xpeml:InstanceParameterList> <xpeml:ParameterGroup UserInterfaceID="DenyParameters" EnumerativeValue="2621" GroupName="DenyParameters" Order="1"> <xpeml:Choice UserInterfaceID="ChoiceID_10_1189184609553" EnumerativeValue="10" Enabled="false" ChoiceName="DefaultBlockPage" Order="1" /> <xpeml:Choice UserInterfaceID="ChoiceID_20_1189184609553" EnumerativeValue="20" Enabled="true" ChoiceName="SendBlockMessage" Order="2"> <xpeml:Parameter Value="You%20must%20be%20in%20the%20Sales%20group%20to%20access%20this%20resource." UserInterfaceID="ParameterID_1_1189184609553" EnumerativeValue="1" Name="Message" /> </xpeml:Choice> <xpeml:Choice UserInterfaceID="ChoiceID_30_1189184609554" EnumerativeValue="30" Enabled="false" ChoiceName="RedirectToLocation" Order="3"> <xpeml:Parameter Value="" UserInterfaceID="ParameterID_1_1189184609554" EnumerativeValue="1" Name="Redirect" /> </xpeml:Choice> </xpeml:ParameterGroup> </xpeml:InstanceParameterList> </xpeml:Action> </xpeml:ActionList> </xpeml:Rule> </xpeml:Policy> <xpeml:Policy Enable="true" UserInterfaceID="PolicyID_xpemlPEP_IDPRoles_1189184509646" Category="" Name="sales_role" LastModified="1189199771488" PolicyID="PolicyID_xpemlPEP_IDPRoles_1189184509646" DateCreated="4294967295" Description="" DateArchived="4294967295" LastModifiedBy="cn=admin,o=novell"> <xpeml:PolicyEnforcementPointRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlPEP_IDPRoles" /> <xpeml:ConfigurationUsageList /> <xpeml:Rule RuleID="RuleID_1189184509646" RuleOrder="1" Enable="1" UserInterfaceID="RuleID_1189184509646" ConditionCombiningAlgorithm="DNF" Description="" Priority="0"> <xpeml:ActionList> <xpeml:Action UserInterfaceID="ActionID_1189184510593" Order="1"> <xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_AddRole" /> <xpeml:InstanceParameterList> <xpeml:Parameter Value="sales_role" UserInterfaceID="AdditionalRole" EnumerativeValue="6601" Name="AdditionalRole" /> </xpeml:InstanceParameterList> </xpeml:Action> </xpeml:ActionList> <xpeml:ConditionList> <xpeml:ConditionSet Enable="true" UserInterfaceID="1" NOT="0" SetOrder="1"> <xpeml:Condition Enable="true" UserInterfaceID="1" NOT="0" Order="1" ResultOnError="false"> <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlCondition_ldap-group" /> <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="nxpeOperator_ldap-group-is-member-of" /> <xpeml:LHSOperand Value=""> <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_LdapGroup" /> </xpeml:LHSOperand> <xpeml:RHSOperand Value="cn%3Dsales%2Co%3Dnovell"> <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_SelectedLdapGroup" /> </xpeml:RHSOperand> </xpeml:Condition> </xpeml:ConditionSet> </xpeml:ConditionList> </xpeml:Rule> </xpeml:Policy> </xpeml:PoliciesDefinitionList> </xpeml:PolicyCollection> </NxpeService>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
- Troubleshooting XML Validation in Access Manager
- Custom IDP Class to Check the Integrity of the Client Machine
- Dealing with GroupType Fields in Notes
- Backup, remove and restore group memberships or copy them between users with an IDM loopback policy
- Solving Account Disabled Issues with the AS400 Bidirectional Driver
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 4023 reads
0