Authorizing a single LDAP group to have a role in IBM Integration Bus

Authorize a single LDAP group to have a role in IBM® Integration Bus by setting values for the ldapAuthorizeUrl property in the ldap.auth.yaml web administration server security configuration file.

Before you begin

Ensure that you have set admin security authorization file permissions as required for roles in IBM Integration Bus and that you have completed any required mapping of LDAP attribute values to names of roles in IBM Integration Bus. See Configuring authorization by using LDAP groups.

About this task

The example described in this topic illustrates how to authorize a single LDAP group to have a role in IBM Integration Bus. The example refers to an LDAP-authenticated user, graham, who is a member of a single group in LDAP, which has the distinguished name (dn) cn=administrator,ou=groups,o=iib, as shown in the following LDAP configuration:
 
 ObjectClass: Person
 dn: cn=graham,ou=users,o=iib
 cn: graham


 ObjectClass: groupOfNames
 dn: cn=administrator,ou=groups,o=iib
 cn: administrator
 Member: cn=graham,ou=users,o=iib
 Member: cn=martin,ou=users,o=iib

Procedure

  1. To authorize the single LDAP group with distinguished name (dn) cn=administrator,ou=groups,o=iib to have the role adminRole in IBM Integration Bus, set the values for ldapAuthorizeUrl in the ldap.auth.yaml web administration server security file as shown in the following example: 
    ldapAuthorizeUrl: ldap://localhost:10389/ou=groups,o=iib?cn?sub?(member={{dn}})
    where:
    • localhost is the server
    • 10389 is the port
    • ou=groups,o=iib is the baseDN (Distinguished name)
    • cn is the attr_name
    • sub indicates that a subset of the LDAP tree structure is to be searched
    • (member={{dn}}) is the filter_expr
  2. Map the LDAP attribute value to the role in IBM Integration Bus by updating the Security: section in the ldap.auth.yaml file as shown in the following example: 
    Security:
  LdapAuthorizeAttributeToRoleMap:
    'administrator': 'adminRole'
  3. Save the modified file.
  4. Restart the integration node or integration server, as appropriate, for the changes to take effect.

Results

When the LDAP-authenticated user graham attempts to perform an action on the integration node or integration server, a search will confirm that the LDAP distinguished name cn=administrator,ou=groups,o=iib is authorized to perform the role adminRole in IBM Integration Bus. The LDAP-authenticated user graham is a member of the LDAP group cn=administrator,ou=groups,o=iib so permission to perform the action is granted.