The article purpose is to show how to configure Licenses service in order to define a static or a LDAP filtering and customize filtering.
Prerequisites:
- Licenses Service 1.3.0 or higher version.
- Stambia DI Designer S17.2.12 or higher version.
From Licenses Service 1.3.0 version we have a possibility to define a LDAP filtering and customize filtering.
Static filtering
With this filtering, you can limit access to users defined into a configuration file.
Configuration
The spring-context.xml file should be configured through new bean allowing to configure static filtering.
The configuration content of this file will look like this:
<!-- Define a list of Stambia group / filter combination -->
<bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">
<property name="plugins">
<map>
<!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute) -->
<entry key="default" value-ref="simpleFilter"></entry>
</map>
</property>
</bean>
<!-- Simple filter -->
<bean id="simpleFilter"
class="com.stambia.licence.plugin.impl.DesignerFilterSimplePlugin">
<!-- userNames: List of allowed username -->
<property name="userNames">
<list>
<value>tsmith</value>
<value>ejones</value>
<value>dwheldon</value>
</list>
</property>
<!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->
<property name="logUserListAtStartup" value="true"></property>
</bean>
The "userNames" property list will contain allowed Operating System user account name.
The sample spring-context.xml file containing this configuration is located in the following directory:
conf/samples/filter_simple
LDAP directory filtering
With this filtering, you can limit access to users defined a LDAP directory.
Configuration
The spring-context.xml file should be configured through new bean allowing to configure LDAP properties.
The configuration content of this file will look like this:
<!-- Define a list of Stambia group / filter combination -->
<bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">
<property name="plugins">
<map>
<!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute) -->
<entry key="default" value-ref="ldapFilter"></entry>
</map>
</property>
</bean>
<!-- LDAP configuration -->
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<!-- url: The LDAP URL. format: ldap://<IP_ADDRESS>:<PORT> -->
<property name="url" value="ldap://xx.xx.xx.xx:yyy" />
<!-- userDn: The LDAP user to use -->
<property name="userDn" value="cn=admin,dc=myorganization,dc=org" />
<!-- password: The LDAP user password -->
<property name="password" value="LDAP_PASSWORD" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<!-- LDAP filter -->
<bean id="ldapFilter"
class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
<constructor-arg ref="ldapTemplate" />
<!-- base: The search base defines the starting point for the search in the directory tree -->
<property name="base" value="ou=people,dc=myorganization,dc=org"/>
<!-- filter: The filter to use in the search
Note: use & string as AND (&) operator
-->
<property name="filter" value="objectClass=person"/>
<!-- userNameAttribute: LDAP attribute containing the allowed username -->
<property name="userNameAttribute" value="userName"/>
<!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
0: baseObject (also known as "base"): only the entry specified as the search base should be considered.
1: singleLevel (also known as "one"): only the immediate children of the entry specified as the search base should be considered.
2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
-->
<property name="searchScope" value="2"/>
<!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->
<property name="logUserListAtStartup" value="true"/>
<!-- refreshInterval: Filter refresh interval (in seconds). Default value is 30 seconds if this property is not setted -->
<property name="refreshInterval" value="600"/>
</bean>
The bean class="org.springframework.ldap.core.support.LdapContextSource" allows to configure your LDAP parameters : LDAP URL, user, password
The bean class="com.stambia.licence.plugin.impl.DesignerFilterManager" allows to configure LDAP filtering for each Stambia group defined into the license.xml file. You need to associate a Stambia group to a LDAP filtering. For each Stambia Group, you can use a different LDAP filtering.
The bean class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin" allows to configure a specific LDAP filtering.
The sample spring-context.xml file containing this configuration is located in the following directory:
conf/samples/filter_ldap
About LDAP directory impact
You must use a LDAP attribute for each concerned user Stambia DI that will contain the Operating System user account name.
This attribute name must be set in the “userNameAttribute” property value contained into the LDAP filtering bean.
For example: if your user account name is "johnsmith", you need to have the “userNameAttribute” property on your LDAP entry with "johnsmith" as value.
Combine multiples filters
With the following configuration, you can associate:
- a Stambia Group (externalPeopleGroup) to a LDAP filter
- a Stambia Group (default) to a combination of 2 LDAP filters using the com.stambia.licence.plugin.impl.DesignerFilterComposePlugin bean.
<!-- Define a list of Stambia group / filter combination -->
<bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">
<property name="plugins">
<map>
<!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute) -->
<entry key="default" value-ref="ldapGroupfilter"></entry>
<entry key="externalPeopleGroup" value-ref="ldapfilterForExternals"></entry>
</map>
</property>
</bean>
<!-- LDAP configuration -->
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<!-- url: The LDAP URL. format: ldap://<IP_ADDRESS>:<PORT> -->
<property name="url" value="ldap://xx.xx.xx.xx:yyy" />
<!-- userDn: The LDAP user to use -->
<property name="userDn" value="cn=admin,dc=myorganization,dc=org" />
<!-- password: The LDAP user password -->
<property name="password" value="LDAP_PASSWORD" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<!-- LDAP filter 1 -->
<bean id="ldapfilterForSupportTeam"
class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
<constructor-arg ref="ldapTemplate" />
<!-- base: The search base defines the starting point for the search in the directory tree -->
<property name="base" value="ou=support,ou=people,dc=myorganization,dc=org"/>
<!-- filter: The filter to use in the search
Note: use & string as AND (&) operator
-->
<property name="filter" value="objectClass=person"/>
<!-- userNameAttribute: LDAP attribute containing the allowed username -->
<property name="userNameAttribute" value="username"/>
<!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
0: baseObject (also known as "base"): only the entry specified as the search base should be considered.
1: singleLevel (also known as "one"): only the immediate children of the entry specified as the search base should be considered.
2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
-->
<property name="searchScope" value="2"/>
</bean>
<!-- LDAP filter 2 -->
<bean id="ldapfilterForDevelopmentTeam"
class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
<constructor-arg ref="ldapTemplate" />
<!-- base: The search base defines the starting point for the search in the directory tree -->
<property name="base" value="ou=development,ou=people,dc=myorganization,dc=org"/>
<!-- filter: The filter to use in the search
Note: use & string as AND (&) operator
-->
<property name="filter" value="objectClass=person"/>
<!-- userNameAttribute: LDAP attribute containing the allowed username -->
<property name="userNameAttribute" value="username"/>
<!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
0: baseObject (also known as "base"): only the entry specified as the search base should be considered.
1: singleLevel (also known as "one"): only the immediate children of the entry specified as the search base should be considered.
2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
-->
<property name="searchScope" value="2"/>
</bean>
<!-- LDAP filter 3 -->
<bean id="ldapfilterForExternals"
class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
<constructor-arg ref="ldapTemplate" />
<!-- base: The search base defines the starting point for the search in the directory tree -->
<property name="base" value="ou=externals,ou=people,dc=myorganization,dc=org"/>
<!-- filter: The filter to use in the search
Note: use & string as AND (&) operator
-->
<property name="filter" value="objectClass=person"/>
<!-- userNameAttribute: LDAP attribute containing the allowed username -->
<property name="userNameAttribute" value="username"/>
<!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
0: baseObject (also known as "base"): only the entry specified as the search base should be considered.
1: singleLevel (also known as "one"): only the immediate children of the entry specified as the search base should be considered.
2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
-->
<property name="searchScope" value="2"/>
</bean>
<!-- combine many filters -->
<bean id="ldapGroupfilter"
class="com.stambia.licence.plugin.impl.DesignerFilterComposePlugin">
<property name="filters">
<list>
<ref bean="ldapfilterForSupportTeam"/>
<ref bean="ldapfilterForDevelopmentTeam"/>
</list>
</property>
<!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->
<property name="logUserListAtStartup" value="true"></property>
<!-- refreshInterval: Filter refresh interval (in seconds). Default value is 30 seconds -->
<property name="refreshInterval" value="60"/>
</bean>
The sample spring-context.xml file containing this configuration is located in the following directory:
conf/samples/filter_compose