Summary
To be able to login to IM and do either self service or delegated administration you need to authenticate and have one or more roles assigned.
With IM 5.2.0 we rewrote and added a new way to work with roles. This will cover many more ways to assign a role and also greatly improve using nested groups when assigning roles.
With LDAP query-based role selector you assign the IM role based on an LDAP query.
The LDAP query-based role selector will check if the authenticated user matches the LDAP query that is configured in the IM-role. This will be done for each IM-role.
Some examples:
- Assign roles to LDAP groups (the most common way in previous versions of IM). Many implementation of IM are Active Directory using groups to assign to IM roles. This is still supported and will probably still be the most common way to assign roles. You will need to adjust your configuration a little bit different to support the new way though.
- If you like to assign a role to any user having a specific value in an attribute. For example title=Sales
- Active Directory (AD) support quires to look for user in nested groups.
System Requirements
- PhenixID Identity Manager (IM) 5.2.0 or later.
Configuration
Configure LDAP query-based
Open DSEditor.properties.
Add (at the bottom om the file) the following text:
# Settings for role selector ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.LDAPBasedRoleSelector
Save DSEditor.properties and restart the IM service.
Assign an role to a user
Open the DSEditor.properties for the role you like to assign a role.
Add the following text: (this example will map the role to all members of the PhenixID_ServiceDesk_Role group. (see more examples in the next section)
# Group in LDAP Directory that will be associated with this role. AUTH_ROLE_QUERY=memberOf=CN=PhenixID_ServiceDesk_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local
Examples
Assign an IM role to a user using LDAP groups. This is the most common way in previous versions of IM. Now it is a new policy and you add the attribute and value that is located on the user.
Example 1 – Member of group
Map a role to an group called ServiceDesk
AUTH_ROLE_QUERY=memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local
Example 2 – Attribute value
Map a role to user with attribute title equals A
AUTH_ROLE_QUERY=title=A
Example 3 – LDAP query using wildcard
Map a role to user with attribute title including A
AUTH_ROLE_QUERY=title=*A*
Note: Start with would be title=A* and end with would be title=*A
Example 4 – LDAP query using OR
Map a role to users with attribute title equals A OR B
AUTH_ROLE_QUERY=(|(title=A)(title=B))
Example 5 – LDAP query using AND
Map a role to users with attribute title equals A AND carLicense equals B
AUTH_ROLE_QUERY=(&(title=A)(carLicense=B))
Example 6 – LDAP query using AND and OR
Map a role to users with attribute title equals A OR B and user must be member of group ServiceDesk.
AUTH_ROLE_QUERY=(&(|(title=A)(title=B))(memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local))
Example 7 – LDAP query using wildcard and AND
Map a role to users with attribute title includes manager and is member of group ServiceDesk.
AUTH_ROLE_QUERY=(&(title=*manager*)(memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local))
Nested groups
If your AUTH_ROLE_QUERY is a group that your are NOT directly member of but indirectly because you are membership of a group that is member of the AUTH_ROLE_QUERY group. Then you need to add a bit of weird looking filter (1.2.840.113556.1.4.1941) which is an OID called LDAP_MATCHING_RULE_IN_CHAIN.
See example below.
Example 8 – Nested groups
AUTH_ROLE_QUERY=memberOf:1.2.840.113556.1.4.1941:=CN=Nested_Group_1,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local
Upgrading from earlier version of IM
Open DSEditor.properties.
If you’ve been using roles in previous versions of IM, your DSEditor.properties will probably look something like this:
# Settings for role selector NordicEdge_USE_ROLESELECTION=true ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.FileBasedRoleSelector USE_DEFAULT_ROLE_MANAGEMENT=false
Remove or remark the lines above and replace them with:
# Settings for role selector ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.LDAPBasedRoleSelector
If following two rows exist in your DSEditor.properties, they can be removed since they are not used anymore.
# What attribute is used to map users to a role GROUPMEMBER_ATTRIBUTE=memberOf
Assign an role to a user after upgrade
Below shows how to replace the old way to assign roles with the new way. As an example I use an LDAP group to assign to an IM role.
Open the DSEditor.properties for the role you like to assign a role to.
If you been using roles in previous versions of IM your DSEditor.properties would probably look something like this:
# Group in LDAP Directory that will be associated with this role. MEMBER=CN=PhenixID_GroupAdmin_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local
Replaces above with:
# Group in LDAP Directory that will be associated with this role. AUTH_ROLE_QUERY=memberOf=CN=PhenixID_ServiceDesk_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se