我已经设置了 Gravitee APIM 3x(网关、rest-api、控制台和门户)。这工作正常。当尝试用 LDAP(FreeIPA)身份验证替换内存身份验证时,我能够让服务登录用户,但没有为他们分配角色。
原因在于,它在 memberUid 字段中使用用户的完整 DN,其中仅包含用户名。
@abbra 的评论让我意识到,我忘记了我的群组是如何组织的。我们有一组基础群组,称之为角色,这些角色是不同群组的成员。因此,当查找cn=groups,cn=accounts,dc=somedomain,dc=comGravitee 群组中的成员字段时,它将引用另一个包含member完整用户字段的群组dn。
所以现在的问题是,如何在 Gravitee 中使组查找递归? 有可能吗,还是我必须将每个成员明确添加到组中?
我该如何解决这个问题?我将原始问题划掉。
Feb 04 16:27:46 somehost.somedomain.com gravitee[22030]: 16:27:46.646 [gravitee-listener-44] DEBUG o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'my_user', DN = 'uid=my_user,cn=users,cn=accounts,dc=somedomain,dc=com', with filter (&(objectClass=posixGroup)(memberUid={0})) in search base 'cn=groups,cn=compat'
Feb 04 16:27:46 somehost.somedomain.com gravitee[22030]: 16:27:46.647 [gravitee-listener-44] DEBUG o.s.s.l.SpringSecurityLdapTemplate - Using filter: (&(objectClass=posixGroup)(memberUid=uid=my_user,cn=users,cn=accounts,dc=somedomain,dc=com))
Feb 04 16:27:46 somehost.somedomain.com gravitee[22030]: 16:27:46.713 [gravitee-listener-44] DEBUG o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Roles from search: []
我在 IPA 中创建了 4 个组,分别对应用户、管理员、发布者和消费者角色。每个组都有成员,我可以使用 ldapsearch 进行手动搜索,以确认如果 Gravitee 使用 uid 而不是整个 DN,这应该可以正常工作。
security:
# When using an authentication providers, use trustAll mode for TLS connections
trustAll: true
providers: # authentication providers
- type: ldap
context:
username: ""
password: ""
url: "ldaps://<LDAP_SERVER_HOSTNAME>:<LDAP_PORT>/dc=somedomain,dc=com"
base: "dc=somedomain,dc=com"
authentication:
user:
# Search base for user authentication. Defaults to "". Only used with user filter.
# It should be relative to the Base DN. If the whole DN is o=user accounts,c=io,o=gravitee then the base should be like this:
base: "cn=users,cn=accounts"
# The LDAP filter used to search for user during authentication. For example "(uid={0})". The substituted parameter is the user's login name.
filter: "(&(objectClass=posixAccount)(uid={0}))"
# Specifies the attribute name which contains the user photo (URL or binary)
#photo-attribute: "jpegPhoto"
group:
# Search base for groups searches. Defaults to "". Only used with group filter.
# It should be relative to the Base DN. If the whole DN is o=authorization groups,c=io,o=gravitee then the base should be like this:
base: "cn=groups,cn=compat"
filter: "(&(objectClass=posixGroup)(memberUid={0}))"
role:
attribute: "cn"
mapper: {
gt_consumer: API_CONSUMER,
gt_publisher: API_PUBLISHER,
gt_admins: ADMIN,
gt_users: USER
}
lookup:
# allow search results to display the user email. Be careful, It may be contrary to the user privacy.
allow-email-in-search-results: true
user:
# Search base for user searches. Defaults to "". Only used with user filter.
# It should be relative to the Base DN. If the whole DN is o=user accounts,c=io,o=gravitee then the base should be like this:
base: "cn=users,cn=accounts"
# The LDAP filter used to search for user during authentication. For example "(uid={0})". The substituted parameter is the user's login name.
filter: "(&(objectClass=posixAccount)(uid={0}))"
答案1
memberUid属性按定义仅包含 uid 本身。如果您需要完整的 DN,则应member在组条目和memberOf用户条目中使用属性。
我建议尽可能避免使用兼容树。绝对不要混合使用兼容子树和普通子树。用作cn=accounts,dc=somedomain,dc=com基本 DN,然后用于cn=groups组基本树、cn=users用户基本树。