Authorizing multiple LDAP groups to have roles in IBM Integration Bus

Authorize multiple LDAP groups to have roles in IBM® Integration Bus by setting values for the ldapAuthorizeUrl property in the ldap.auth.yaml web administration server security configuration file.

Before you begin

Ensure that you have set admin security authorization file permissions as required for roles in IBM Integration Bus and that you have completed any required mapping of LDAP attribute values to names of roles in IBM Integration Bus. See Configuring authorization by using LDAP groups.

About this task

The example described in this topic illustrates how to authorize multiple LDAP groups to have roles in IBM Integration Bus. The example refers to an LDAP-authenticated user, martin, who is a member of two groups in LDAP, which have the distinguished names (dn) cn=administrator,ou=groups,o=iib and cn=viewer,ou=groups,o=iib, as shown in the following LDAP configuration:
 
 ObjectClass: Person
 dn: cn=martin,ou=users,o=iib
 cn: martin

 ObjectClass: groupOfNames
 dn: cn=administrator,ou=groups,o=iib
 cn: administrator
 Member: cn=graham,ou=users,o=iib
 Member: cn=martin,ou=users,o=iib

ObjectClass: groupOfNames
 dn: cn=viewer,ou=groups,o=iib
 cn: viewer
 Member: cn=graham,ou=users,o=iib
 Member: cn=martin,ou=users,o=iib

Procedure

  1. To authorize the LDAP group with distinguished name (dn) cn=administrator,ou=groups,o=iib to have the role adminRole in IBM Integration Bus, and authorize the LDAP group with distinguished name (dn) cn=viewer,ou=groups,o=iib to have the role viewRole, set the values for ldapAuthorizeUrl in the ldap.auth.yaml web administration server security file as shown in the following example: 
    ldapAuthorizeUrl: ldap://localhost:10389/ou=groups,o=iib?cn?sub?(member={{dn}})
    where:
    • localhost is the server
    • 10389 is the port
    • ou=groups,o=iib is the baseDN (Distinguished name)
    • cn is the attr_name
    • sub indicates that a subset of the LDAP tree structure is to be searched
    • (member={{dn}}) is the filter_expr
  2. Map the LDAP attribute values to the roles in IBM Integration Bus by updating the Security: section in the ldap.auth.yaml file as shown in the following example: 
    Security:
  LdapAuthorizeAttributeToRoleMap:
    'administrator': 'adminRole'
    'viewer': 'viewRole'
  3. Save the modified file.
  4. Restart the integration node or integration server, as appropriate, for the changes to take effect.

Results

When the LDAP-authenticated user martin attempts to carry out an action on the integration node or integration server, a search will confirm that the LDAP distinguished name cn=viewer,ou=groups,o=iib is authorized to perform the role viewRole in IBM Integration Bus. The LDAP-authenticated user martin is a member of the LDAP group cn=viewer,ou=groups,o=iib so will be granted the permissions that were set for the role viewRole. Additionally, user martin is a member of the LDAP group cn=administrator,ou=groups,o=iib so will be granted the permissions that were set for the role adminRole.