Configuring authorization by using LDAP groups

Authorize roles in IBM® Integration Bus against a Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS) server.

Before you begin

Read the following topics:

LDAP authorization can be applied only to LDAP authenticated users. If LDAP authentication is not already enabled, enable it now as described in Enabling an integration node to use LDAP for authentication.

About this task

You can grant and revoke administration authority for an integration node or integration server by configuring LDAP authorization for specified groups or attributes in LDAP to specified roles in IBM Integration Bus. You can configure the authorization by setting properties in the web administration server security YAML configuration file, ldap.auth.yaml. An example file that shows the layout of this configuration file is provided in the directory \server\sample\configuration. To apply the configuration that you specify in ldap.auth.yaml, you must use the appropriate IBM Integration Bus commands.

LDAP authorization can only be applied to LDAP authenticated users. LDAP users must belong to one or more LDAP groups, or have one or more LDAP attributes that map to roles in IBM Integration Bus, with appropriate access to the admin REST API. Roles in IBM Integration Bus have read, write, or execute permissions for objects in integration nodes or integration servers. For more information, see Role-based security. LDAP users can belong to a single LDAP group that can be mapped to a single role in IBM Integration Bus, or multiple LDAP groups that can be mapped to multiple roles in IBM Integration Bus. An LDAP authenticated user's LDAP attributes can also be used to map to roles in IBM Integration Bus.

Configure LDAP authorization by completing the following steps. The values that are used in these steps are for illustrative purposes; provide your own values as appropriate to your environment.

Procedure

Locate the ldap.auth.yaml web administration server security file.
A sample file is provided, the relative path to which is server/sample/configuration/ldap.auth.yaml from the root of the IBM Integration Bus installation directory.
It is good practice to copy the sample file and then modify the copy to suit your requirements. The original might serve as useful syntax reference for future use.
Amend the RestAdminListener: and Security: sections in the ldap.auth.yaml file with the values that you need.
1. Update the RestAdminListener: section with values that define the actions that are performed when IBM Integration Bus checks whether a user is authorized. For example:
```
RestAdminListener:
# ldapAuthorizeUrl: ldap[s]://server[:port]/baseDN[?[attr_name][?[base|one|sub]][?filter_expr]]
  ldapAuthorizeUrl: ldap://ibmexample1:10389/dc=example,dc=com?ou?sub?(uid={{username}})  
```
2. Update the Security: section to map values of LDAP attributes on LDAP objects to names of roles in IBM Integration Bus. For example:
```
Security:
  LdapAuthorizeAttributeToRoleMap:
    businessgroup1: adminRole
    businessgroup2: viewRole
```
  If you have existing LDAP attributes and existing roles in IBM Integration Bus with different names, you must map from one to the other. LDAP objects with attribute values that do not match names of defined roles in IBM Integration Bus results in access being denied unless the attributes and roles are explicitly mapped in the web administration server security YAML file. You do not need to map in the following cases:
  - If values of LDAP group attributes match the names of roles in IBM Integration Bus.
  - If you configure LDAP attribute values to match names of existing roles in IBM Integration Bus.
  - If you create roles in IBM Integration Bus with names identical to values of LDAP attributes.
In this example:
- ibmexample1 is the hostname of the LDAP server
- 10389 is the port number of the LDAP server
- dc=example,dc=com is the base DN
- ou is the attribute name
- sub indicates that a subset of the LDAP tree structure is to be searched
- uid={{username}} is the filter expression
This configuration means that the following actions are performed when IBM Integration Bus checks whether a user is authorized:
- A subtree-scoped LDAP search without SSL is performed on server ibmexample1 that is listening on port number 10389 for objects that are in the search base dc=example,dc=com that match the search filter uid={{username}}.
- For every object that is matched during the search, the value of its ou attribute is returned. This value is assumed to identify an LDAP group.
- If any of the returned values case-sensitively match businessgroup1, the web user is granted the IBM Integration Bus role of adminRole if it exists.
- Similarly, if any of the returned values case-sensitively match businessgroup2, the web user is granted the IBM Integration Bus role of viewRole if it exists.
Save the modified file.
Create roles in IBM Integration Bus and set administration security authorization file permissions for those roles by using the mqsichangefileauth command. For example, define the adminRole and viewRole roles and permissions:
```
mqsichangefileauth IBNODE -e IBSERVER -r adminRole -p read+,write+,execute+
```
```
mqsichangefileauth IBNODE -e IBSERVER -r viewRole -p read+,write-,execute-
```
Enable LDAP security by using the mqsichangeauthmode command. For example:
```
mqsichangeauthmode IBNODE -s active -m ldap
```
Define the credentials to bind to the LDAP server by using the mqsisetdbparms command. For example:
```
mqsisetdbparms IBNODE -n ldap::ibmexample1 -u “uid=admin,ou=system” -p password
```
where password is the password that is associated with the LDAP server.
Define the configuration for LDAP authentication. Use the mqsichangeproperties command to specify the URI for the LDAP server. For example:
```
mqsichangeproperties IBNODE -b webadmin -o server -n ldapAuthenticationUri -v \"ldap://localhost:10389/dc=example,dc=com\"
```
Optional: Use the mqsichangeproperties command to specify a wildcard value for all users.
By specifying a wildcard value, the identity of a user that is attempting to log in to IBM Integration Bus is passed to LDAP for authentication and, as a result of the LDAP group authorization settings that you have specified, role mapping is overridden and all users are no longer assigned to the same role. For example:
```
mqsichangeproperties IBNODE -c -u '*' -x -r roleisoveridden
```
Use the mqsichangeproperties command to specify the path to the web administration server security YAML configuration file. For example:
```
mqsichangeproperties IBNODE -b webadmin -o server -n ldapYamlPath -v "C:\LDAPEXAMPLE\ldap.auth.yaml"
```
Restart the integration node or integration server for the changes to take effect.

What to do next

You have options on how to configure LDAP authorization.

Authorize a single LDAP group to have a role in IBM Integration Bus. See Authorizing a single LDAP group to have a role in IBM Integration Bus.
Authorize multiple LDAP groups to have roles in IBM Integration Bus. See Authorizing multiple LDAP groups to have roles in IBM Integration Bus.
Authorize an LDAP authenticated user's LDAP attributes to have a role in IBM Integration Bus. See Authorizing an LDAP-authenticated user's LDAP attributes to have a role in IBM Integration Bus.