ldap group authorization after successful authentication.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ldap group authorization after successful authentication.

jsinclair
I'm using Shib IdP 2 for Google SSO for email. I'm successfully authenticating users via the ShibUserPassAuth {edu.vt.middleware.ldap.jaas.LdapLoginModule} in login.config.

15:16:51.081 - INFO [edu.vt.middleware.ldap.Authenticator:297] - [TP-Processor3:] - Authentication succeeded for user

After a user authenticates using their username and password they get redirected to Google.
My question is how can I authorize that the user is a member of a specific ldap group such as 'Email' before redirecting back to Google?

Can I this be accomplished by stacking Ldap modules like so?

ShibUserPassAuth {
    edu.vt.middleware.ldap.jaas.LdapLoginModule required
       base="ou=users,dc=test,dc=com"
         host="myldap.server"
         port="389"
         serviceCredential=""
         serviceUser=""
         userField="uid"
         subtreeSearch="false";

    /*
    edu.vt.middleware.ldap.jaas.LdapRoleAuthorizationModule required
       useFirstPass="true"
       ldapUrl="ldap://myldap:389/cn=Email,ou=roles,dc=test,dc=com"
       roleFilter="(member={0})"
       roleAttribute="cn";  
    */
};

Thanks,
jsinclair