Repository: incubator-brooklyn Updated Branches: refs/heads/master 8cdb16666 -> f5f01268b
LDAP authentication doc - added an example brooklyn.properties Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/418a202a Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/418a202a Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/418a202a Branch: refs/heads/master Commit: 418a202ad84f153063ff29e95cff2f3dd00b9e5d Parents: 8cdb166 Author: Valentin Aitken <[email protected]> Authored: Fri Jul 31 15:21:49 2015 +0300 Committer: Valentin Aitken <[email protected]> Committed: Fri Jul 31 18:24:33 2015 +0300 ---------------------------------------------------------------------- docs/guide/ops/brooklyn_properties.md | 38 ++++++++++++++++---- .../security/provider/LdapSecurityProvider.java | 8 ++++- 2 files changed, 38 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/418a202a/docs/guide/ops/brooklyn_properties.md ---------------------------------------------------------------------- diff --git a/docs/guide/ops/brooklyn_properties.md b/docs/guide/ops/brooklyn_properties.md index 450252a..01d087e 100644 --- a/docs/guide/ops/brooklyn_properties.md +++ b/docs/guide/ops/brooklyn_properties.md @@ -102,14 +102,38 @@ each `<username>` specified in the `brooklyn.webconsole.security.users` list. Other security providers available include: -* **No one**: `brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.BlackholeSecurityProvider` - will block all logins (e.g. if not using the web console) -* **No security**: `brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.AnyoneSecurityProvider` - will allow logins with no credentials (e.g. in secure dev/test environments) -* **LDAP**: `brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.LdapSecurityProvider` - will cause Brooklyn to call to an LDAP server to authenticate users; - `brooklyn.webconsole.security.ldap.{url,realm}` must also be set as `brooklyn.properties` +### No one +`brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.BlackholeSecurityProvider` +will block all logins (e.g. if not using the web console) + +### No security + +`brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.AnyoneSecurityProvider` +will allow logins with no credentials (e.g. in secure dev/test environments) + +### LDAP + +`brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.LdapSecurityProvider` +will cause Brooklyn to call to an LDAP server to authenticate users; +The other things you need to set in `brooklyn.properties` are: + +* `brooklyn.webconsole.security.ldap.url` - ldap connection url +* `brooklyn.webconsole.security.ldap.realm` - ldap dc parameter (domain) +* `brooklyn.webconsole.security.ldap.ou` *optional, by default it set to Users* - ldap ou parameter + +**brooklyn.properties example configuration:** + +``` +brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.LdapSecurityProvider +brooklyn.webconsole.security.ldap.url=ldap://localhost:10389/????X-BIND-USER=uid=admin%2cou=system,X-BIND-PASSWORD=secret,X-COUNT-LIMIT=1000 +brooklyn.webconsole.security.ldap.realm=example.com +``` + +After you setup the brooklyn connection to your LDAP server, you can authenticate in brooklyn using your cn (e.g. John Smith) and your password. +`brooklyn.rest.security.provider.LdapSecurityProvider` searches in the LDAP tree in LDAP://cn=John Smith,ou=Users,dc=example,dc=com + +If you want to customize the ldap path or something else which is particular to your LDAP setup you can extend `LdapSecurityProvider` class or implement from scratch the `SecurityProvider` interface. ## Entitlements http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/418a202a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/LdapSecurityProvider.java ---------------------------------------------------------------------- diff --git a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/LdapSecurityProvider.java b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/LdapSecurityProvider.java index c8c10a1..328a4fd 100644 --- a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/LdapSecurityProvider.java +++ b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/LdapSecurityProvider.java @@ -100,7 +100,13 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se } } - private String getUserDN(String user) { + /** + * Returns the LDAP path for the user + * + * @param user + * @return String + */ + protected String getUserDN(String user) { List<String> domain = Lists.transform(Arrays.asList(ldapRealm.split("\\.")), new Function<String, String>() { @Override public String apply(String input) {
