1

I am trying to configure Apache Brooklyn to use the LDAPSecurityProvider against a Windows Active Directory.

I am testing the connection with Apache Directory Studio and it works with the provided credentials. Screenshot of Apache Directory Studio and the LDAP tree But when I Configure Apache Brooklyn to use LDAP against the AD it does not work and creates no error logs.

My brooklyn property file is here:

brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
brooklyn.webconsole.security.ldap.url=ldap://10.0.20.10:389/????X-BIND-USER=uid=StackAdmin%2cou=users,X-BIND-PASSWORD=Password123,X-COUNT-LIMIT=1000
brooklyn.webconsole.security.ldap.realm=example.com
Philipp
  • 11
  • 4

2 Answers2

1

The LDAP support is documented at http://brooklyn.apache.org/v/latest/ops/brooklyn_properties.html#ldap - your example configuration looks good (very similar to that).

However, the docs say it will then construct something like:

LDAP://cn=John Smith,ou=Users,dc=example,dc=com

(With the "ou" value being configurable).

Looking at your screenshot, it seems you'd need something like that below (though it isn't expanded to see a full user example):

LDAP://cn=John Smith,cn=Users,dc=example,dc=com

Unfortunately that isn't currently supported in Brooklyn.

The workaround would be store your users under "ou" intead.

The LDAP integration code is pretty simple (and low on logging): https://github.com/apache/incubator-brooklyn/blob/master/brooklyn-server/rest/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java

It would be reasonably easy to update the Java to support your use-case.

Do you want to either have a go at creating a pull request for that (https://github.com/apache/incubator-brooklyn/), or opening a jira issue at https://issues.apache.org/jira/browse/BROOKLYN to describe the requirements and someone can take a look?

Aled Sage
  • 766
  • 7
  • 12
0

I had the same problem and solved it by creating my own LdapSecurityProvider for ActiveDirectory. Create a new Class which extends the org.apache.brooklyn.rest.security.provider.LdapSecurityProvider and override the getUserDN Method.

Brooklyn uses the com.sun.jndi.ldap.LdapCtxFactory so you can find a detailed documentation under http://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap.html

Felix Otto
  • 27
  • 5