Setting Up a Group Membership Check in Access Manager



By: Ben Fjeldsted

March 26, 2008 8:17 am

Reads: 150

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“I’m trying to set up a reverse proxy with authentication to an eDirectory group. I want to check to see if the user is a member of a group. I have this set up on iChain, but I can’t figure out how to do it in Access Manager.”

And here is the response from Ben Fjelsted …

Solution

To base access on LDAP groups, you must first make an “Identity Server: Role” policy for the LDAP group that the user is in. Then you can use that role in a “Access Gateway: Authorization” policy.

Here is an example policy set, exported from one of my configurations. It basically says that:

If LDAP Group: [Current]
Comparison: LDAP Group: Is Member of
Value: LDAP Group: cn=sales,o=novell
Result on Condition Error: False

Do Activate Role:
sales_role

Then it uses this role for the Authorization policy “deny_but_sales”.

Remember to enable the role in the Identity Server Configuration under [configuration name] > General > Roles.

<?xml version="1.0" encoding="UTF-8"?>
<!--Sample XML file generated by XMLSpy v2005 rel. 3 U 
(http://www.altova.com)-->
<NxpeService xmlns:xpeml="urn:novell:schema:xpeml:1.34:policy" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="./nxpeService.xsd" Revision="0.1">
   <xpeml:PolicyCollection schemaVersion="1.34">
     <xpeml:PoliciesDefinitionList LastModified="4294967295" 
LastModifiedBy="String">
       <xpeml:Policy Enable="true" 
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" 
Category="" Name="deny_but_sales" LastModified="1189184619087" 
PolicyID="PolicyID_xpemlPEP_AGAuthorization_1189184590095" 
DateCreated="4294967295" Description="" DateArchived="4294967295" 
LastModifiedBy="cn=admin,o=novell">
         <xpeml:PolicyEnforcementPointRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlPEP_AGAuthorization" />
         <xpeml:ConfigurationUsageList />
         <xpeml:Rule RuleID="RuleID_1189184590095" RuleOrder="1" 
Enable="1" UserInterfaceID="RuleID_1189184590095" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="1" Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_Permit" />
             </xpeml:Action>
           </xpeml:ActionList>
           <xpeml:ConditionList>
             <xpeml:ConditionSet Enable="true" UserInterfaceID="1" 
NOT="0" SetOrder="1">
               <xpeml:Condition Enable="true" UserInterfaceID="1" 
NOT="0" Order="1" ResultOnError="false">
                 <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlCondition_string" />
                 <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="nxpeOperator_string-equals" />
                 <xpeml:LHSOperand Value="">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_CurrentRoles" />
                 </xpeml:LHSOperand>
                 <xpeml:RHSOperand Value="sales_role">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_SelectedRole" />
                 </xpeml:RHSOperand>
                 <xpeml:InstanceParameterList>
                   <xpeml:Parameter Value="case-sensitive" 
UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="flags">
                     <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="case-sensitive" />
                   </xpeml:Parameter>
                 </xpeml:InstanceParameterList>
               </xpeml:Condition>
             </xpeml:ConditionSet>
           </xpeml:ConditionList>
         </xpeml:Rule>
         <xpeml:Rule RuleID="RuleID_1189184607928" RuleOrder="1" 
Enable="true" UserInterfaceID="RuleID_1189184607928" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="9">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="1" Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_Deny" />
               <xpeml:InstanceParameterList>
                 <xpeml:ParameterGroup UserInterfaceID="DenyParameters" 
EnumerativeValue="2621" GroupName="DenyParameters" Order="1">
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_10_1189184609553" EnumerativeValue="10" 
Enabled="false" ChoiceName="DefaultBlockPage" Order="1" />
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_20_1189184609553" EnumerativeValue="20" 
Enabled="true" ChoiceName="SendBlockMessage" Order="2">
                     <xpeml:Parameter 
Value="You%20must%20be%20in%20the%20Sales%20group%20to%20access%20this%20resource." 
UserInterfaceID="ParameterID_1_1189184609553" EnumerativeValue="1" 
Name="Message" />
                   </xpeml:Choice>
                   <xpeml:Choice 
UserInterfaceID="ChoiceID_30_1189184609554" EnumerativeValue="30" 
Enabled="false" ChoiceName="RedirectToLocation" Order="3">
                     <xpeml:Parameter Value="" 
UserInterfaceID="ParameterID_1_1189184609554" EnumerativeValue="1" 
Name="Redirect" />
                   </xpeml:Choice>
                 </xpeml:ParameterGroup>
               </xpeml:InstanceParameterList>
             </xpeml:Action>
           </xpeml:ActionList>
         </xpeml:Rule>
       </xpeml:Policy>
       <xpeml:Policy Enable="true" 
UserInterfaceID="PolicyID_xpemlPEP_IDPRoles_1189184509646" Category="" 
Name="sales_role" LastModified="1189199771488" 
PolicyID="PolicyID_xpemlPEP_IDPRoles_1189184509646" 
DateCreated="4294967295" Description="" DateArchived="4294967295" 
LastModifiedBy="cn=admin,o=novell">
         <xpeml:PolicyEnforcementPointRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlPEP_IDPRoles" />
         <xpeml:ConfigurationUsageList />
         <xpeml:Rule RuleID="RuleID_1189184509646" RuleOrder="1" 
Enable="1" UserInterfaceID="RuleID_1189184509646" 
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="ActionID_1189184510593" 
Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlAction_AddRole" />
               <xpeml:InstanceParameterList>
                 <xpeml:Parameter Value="sales_role" 
UserInterfaceID="AdditionalRole" EnumerativeValue="6601" 
Name="AdditionalRole" />
               </xpeml:InstanceParameterList>
             </xpeml:Action>
           </xpeml:ActionList>
           <xpeml:ConditionList>
             <xpeml:ConditionSet Enable="true" UserInterfaceID="1" 
NOT="0" SetOrder="1">
               <xpeml:Condition Enable="true" UserInterfaceID="1" 
NOT="0" Order="1" ResultOnError="false">
                 <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlCondition_ldap-group" />
                 <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="nxpeOperator_ldap-group-is-member-of" />
                 <xpeml:LHSOperand Value="">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_LdapGroup" />
                 </xpeml:LHSOperand>
                 <xpeml:RHSOperand Value="cn%3Dsales%2Co%3Dnovell">
                   <xpeml:ContextDataElementRef 
ElementRefType="ExternalWithIDRef" 
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc" 
ExternalElementRef="xpemlContextDataElement_SelectedLdapGroup" />
                 </xpeml:RHSOperand>
               </xpeml:Condition>
             </xpeml:ConditionSet>
           </xpeml:ConditionList>
         </xpeml:Rule>
       </xpeml:Policy>
     </xpeml:PoliciesDefinitionList>
   </xpeml:PolicyCollection>
</NxpeService>

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment