Versions Compared

Old Version 16

changes.mady.by.user Patrick Ahmed

Saved on

compared with

New Version 17

changes.mady.by.user Jesper Nielsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Then the users who are members of the testusers group only have the right to read and not update the configuration.

LDAP Based Access Control

LDAP based access control us done using the AccessControllerListLDAPImpl access.controller configuration property. This access controller will retrieve user and group information from an LDAP server and ACL information binding the users and groups to Ceptor administration permissions is found in the access.control.configuration file.

An example of the configuration could be:

Code Block
		<group name="security" description="security configuration">
			<property name="access.control.configuration" value="${ceptor.home}/config/ceptor-security-ldap.xml" description="access control definitions"/>
			<property name="access.controller" value="dk.itp.security.accesscontrol.AccessControlListLDAPImpl" description="config server access controller implementation"/>
			<property name="remote.servers" value="localhost,192.168.255.255,10.255.255.255" description="allowed remote servers, host:port separated by ,;"/>
		</group>
		<group name="ldap" description="LDAP configuration">
			<property name="ldap.basedn" value="dc=adtest,dc=net" description="The base DN to use"/>
			<property name="ldap.bindUsers" value="true"/>			
			<property name="ldap.searchFirstThenBind" value="true" description="Search the user through ldap.useridName first - and then bind then DN"/>
			<property name="ldap.protocolVersion" value="3"/>
			<property name="ldap.servers" value="adtest.net:389" description="The list of LDAP servers to use"/>
			<property name="ldap.systempassword" value="<password>" description="The password for the system user"/>
			<property name="ldap.systemuser" value="cn=Administrator,cn=Users,dc=adtest,dc=net" description="The system user to bind to LDAP"/>
			<property name="ldap.useridName" value="anr" description="The search criteria for user search"/>
			<property name="ldap.usersRDN" value="cn=Users"/>
			<property name="ldap.usersRDNName" value="cn=Users" description="RDN Name in the subtree that users are stored under"/>
		</group>

As it can be seen the LDAP access controller implementation naturally requires some LDAP configuration. This configuration is the same as described LDAP Authentication Properties. So for details look on that page - the above only services as an example configuration.

The XML configuration file only needs to contain ACL's (it can contain users and groups as well, but these are ignored!).

An example can be found in the default installation directory; <CEPTOR_HOME>/config/ceptor-security-ldap.xml, where <CEPTOR_HOME> is the directory which Ceptor is installed in.

Code Block
<?xml version="1.0" encoding="ISO-8859-1"?>

<system name="ceptor" version="2.0" copyright="(c) 2017, Asseco Denmark A/S">
	<security-acls>
		<acl name="web.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.interval" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.functions" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="web.collected-statistics-management.servers" description="">
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read,write" description="Only read access is allowed"/>
		</acl>
		<acl name="telnet.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
		</acl>
		<acl name="ppadmin.*" description="">
			<permission principal="CN=admin,DC=adtest,DC=net" allow="*" description="Allow administrator everything"/>
			<permission principal="CN=readonly,DC=adtest,DC=net" allow="read" description="Only read access is allowed"/>
		</acl>
	</security-acls>
</system>

The permissions on each ACL in the file are bound to a principal which should be an LDAP record (could be a group or a user). Normally a group would be used - as shown in the example above where the LDAP security groups "admin" and "readonly" are bound to appropriate ACLs.

Information on how to create and update rights on an ACLs can be found in the section above on this page.


Extending or Changing the User Model

...