Role to user group mapping or AD group to role to group mapping

Hello,

Some clarification would be appreciated in handling the Role to group mapping or LDAP to Role to Group mapping.

Environment:

We are using opennms 25 on Ubuntu 18.04

LDAP is configured in Opennms to authenticate users to Active Directory (AD) and works fine.

Recently we started to work with ACLs in order to have certain administrators see what’s relevant to them only.

In opennms.properties there is now:

org.opennms.web.aclsEnabled=true

Now, a local user to opennms is filtered depending on the opennms group he is in.

Then we would like to map ROLES to Opennms groups.

To do so, I followed the steps as described in https://issues.opennms.org/browse/NMS-5547 and changed the applicationContext-spring-security.xml to map ROLE_USER to the AdminStreaming group

<!--
        <beans:bean id="authFilterEnabler" class="org.opennms.web.springframework.security.AuthFilterEnabler">
                <beans:property name="filterManager" ref="filterManager" />
                <beans:property name="groupDao" ref="groupDao" />
        </beans:bean>
-->
<!-- replaced to map roles to groups -->
        <beans:bean id="authFilterEnabler" class="org.opennms.web.springframework.security.AuthRoleToOnmsGroupMapFilterEnabler">
                <custom-filter position="LAST" />

                <beans:property name="filterManager" ref="filterManager" />

                <beans:property name="roleToOnmsGroupMap">
                        <beans:map>
                                <beans:entry>
                                        <beans:key>
                                                <beans:value>ROLE_USER</beans:value>
                                        </beans:key>
                                        <beans:list>
                                                <beans:value>AdminStreaming</beans:value>
                                        </beans:list>
                                </beans:entry>
                        </beans:map>
                </beans:property>

        </beans:bean>

But now Opennms stalls at startup. See the below message from jetty-server.log.

Questions:

1 - What am I missing? I guess it must be futile but I’m probably overlooking it.

2 - Does the dispatcher-servlet.xml need to be changed as ‘groupDao’ is commented out in applicationContext-spring-security.xml ?

3 - When the Role to group mapping is working, we would like to map LDAP/AD usergroups to Opennms groups through roles.

In the web.log (when in DEBUG mode) appear the AD group names a user is member of as ROLE_ , like : ROLE_STREAMING when
a user is member of the ‘streaming’ group in AD.

Can I use the roles derived from AD groups to map them to OpenNms groups in the applicationContext-spring-security.xml file ?

Just as a note: when implementing the above mentioned bean with the AuthRoleToOnmsGroupMapFilterEnabler class the follwing message appears
in the jetty-server.log file :

2020-04-14 14:12:37,110 WARN  [Main] o.e.j.u.DeprecationWarning: Using @Deprecated Class org.apache.felix.http.proxy.ProxyListener
2020-04-14 14:12:57,947 WARN  [qtp865220208-408] o.e.j.s.HttpChannel: /opennms/rtc/post/Interfaces+de+Red
java.lang.NullPointerException: null
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602) ~[jetty-servlet-9.4.18.v20190429.jar:9.4.18.v20190429]
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) ~[jetty-servlet-9.4.18.v20190429.jar:9.4.18.v20190429]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) ~[jetty-server-9.4.18.v20190429.jar:9.4.18.v20190429]
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[jetty-security-9.4.18.v20190429.jar:9.4.18.v20190429]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) ~[jetty-server-9.4.18.v20190429.jar:9.4.18.v20190429]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) ~[jetty-server-9.4.18.v20190429.jar:9.4.18.v20190429]

same message for all other categories in categories.xml

This apart from not starting up Opennms

Thank you,

Jay

Can you double check your configuration as described in How to authenticate against Microsoft Active Directory Services here in Step 6.

Hello Indigo,

Below is included the part of activeDirectory.xml that handles LDAP/AD group mapping to roles.

The allowed groups are searched in the ‘OU=GRUPOS,DC=yourcomp,DC=internal’ branch.

The ‘Sistemas’ group is assigned the ROLE_ADMIN and ROLE_USER roles

All other groups get the ROLE_DASHBOARD and ROLE_USER roles.

<beans:bean
id=“userGroupLdapAuthoritiesPopulator”
class=“org.opennms.web.springframework.security.UserGroupLdapAuthoritiesPopulator”>

<beans:constructor-arg ref="contextSource"/>

<beans:constructor-arg value="OU=GRUPOS,DC=yourcomp,DC=internal" />

<beans:property name="searchSubtree" value="true" />

<beans:property name="groupToRoleMap">

  <beans:map>

    <beans:entry>

      <beans:key><beans:value>Sistemas</beans:value></beans:key>

      <beans:list>
        <beans:value>ROLE_USER</beans:value>
        <beans:value>ROLE_ADMIN</beans:value>
      </beans:list>

    </beans:entry>

    <beans:entry>

      <beans:key><beans:value></beans:value></beans:key>

      <beans:list>
        <beans:value>ROLE_USER</beans:value>
        <beans:value>ROLE_DASHBOARD</beans:value>
      </beans:list>

    </beans:entry>

  </beans:map>

</beans:property>

</beans:bean>

Meanwhile we tested with ‘shadow users’ in opennms, that is, having the same username locally to Opennms as the ones that are in the Active Directory, and that worked!

The AD-users logged in the Opennms are assigned to the groups configured in Opennms and from there you can assign categories to form the ACLs needed.

Now we can have global administrators see everything in Opennms and administrators from other areas see the systems according to the group and category combination they are in.

As a workaround this is acceptable, although it would be nice to have the option available to the package for a quick configuration.

Please note that the local ‘shadow’ users should have another password as they have with their Active Directory account

1 Like

What would be a nice enhancement is a GUI frontend to configure AD authentication rather than editing configuration files :smile:

I did have an issue creating a Read-Only group which didn’t work as I would have expected. Those users could never see anything on the page. I assigned them READONLY and USER.

I’m relatively new to the tool (used it back when it was v18.x and now 27.0.5.