2

I have liberty profile authentication working with MS Active directory. But I am not able to setup a role mapping to a group.

I have created a security role in my web.xml:

<security-role>
    <description>Users who are authorized to do update and insert operations</description>
    <role-name>AuthorizedUser</role-name>
</security-role>

And for full WAS with wmm I have mapped the role to a group in ibm-application-bnd.xml which works:

<security-role name="AuthorizedUser" >
    <group name="mygroup" access-id="group:defaultWIMFileBasedRealm/CN=mygroup,OU=myorg,DC=mydomain,DC=AD,DC=myco,DC=com"/>
</security-role>

But this is not working with liberty profile.
Do I need to alter the access-id?

user1384440
  • 31
  • 1
  • 3

3 Answers3

1

The accessId must use exactly the same realm name as your user registry is configured to have. For example, if your registry is configured thusly:

<ldapRegistry realm="myLDAPRealm"/>

Then your accessId values must take on the same value

<security-role name="AuthorizedUser" >
    <group name="mygroup" access-id="group:myLDAPRealm/..."/>
</security-role>

The default realm name for the LDAP registry is "LdapRegistry", and for reference, the default realm name for the basic registry is "BasicRegistry".

As AJ_R pointed out, you can remove the access-id field entirely and let the access-id be generated automatically. More often than not, specifying the access-id value manually is not necessary.

ppzq
  • 11
  • 1
1

The issue was b/c 'o' != 'O' in "memberOf", I don't think this was case sensitive in TWAS.

Customizing the MS Active directory groupMemberIdMap fixed the group searches:

<activedFilters groupMemberIdMap="memberOf:member"/>

user1384440
  • 31
  • 1
  • 3
0

Did you use the same realmName (defaultWIMFileBasedRealm) when configuring the MS Active directory? You can also try removing the access-id (just use the group name) and let the liberty server generate it using the relamName defined for the registry to see if that would help.

AJ_R
  • 1