January 15, 2015 at 4:14 pm #2424
I am trying to add user to the existing group which have set of privileges. I am adding the group through rest calls.
Here is steps what i do with my sample web application.
Assume Group already exist with some privileges . For eg group name : my_admin_group
1. Create User through create user rest call say , jhon => User created.
2. Now from my application I try to add the user “jhon” to “my_admin_group” . => Used added. (i can see uniquemember attribute updated.)
To verify all the operation is successfully I go to openAM console, login as amadmin .
Click access control tab -> click / (Top Level Realm) -> click Subjects tab -> click Group tab.
I click on “my_admin_group” . I click on User tab. I can see my user (“jhon”) added.
To verify 100% , Now I click go back and click on User tab , Click on user “jhon”.
I go to its Group tab , there I cannot see the associations of the “my_admin_group” with user jhon.
And due to the assigned privileges to configured group as not assigned.
When normally through openAM console we do this operation it works fine.
I am using external opneDJ LDAP data store.
I also want to let you know , When we create the user and add to group attribute named “isMemberOf” is set to that user. To see this I log-in on to Ldap data store it says “isMemberOf” attribute is Read Only.
Now i cannot set this attribute thorugh rest call too. It gives me LDAP exception.
Can you please let me know how can relate the above association.
It will be good if someone let me know the sample curl request and json to do above operation.
SohanJanuary 15, 2015 at 4:26 pm #2425
the sad answer is that you shouldn’t really attempt use the new /json/* endpoints to perform group membership related operations as they are not really working too well in 11.0.x (and potentially in 12.0.0).
isMemberOf is a virtual attribute, hence any attempt of changing its value shall result in an LDAP error result, so that is very much expected. I assume you are trying to add a user to a static group, to do that you would need to modify the static group with a PUT request, where the JSON payload would include the uniqueMember (FYI the recommendation is to not use groupOfUniqueNames btw, see http://opendj.forgerock.org/opendj-server/doc/admin-guide/index.html#static-groups ), and the attribute value would be the full DN of the user you are trying to add. Potentially you will need to list existing group members in your PUT request as well, so you won’t end up removing existing members from the group.
In any case, you are most likely better off using some other means to manage identity data, instead of using OpenAM. Things like OpenDJ’s REST connector, or OpenDJ LDAP SDK (or well, OpenIDM’s APIs) are much more suitable for these sort of things.
PeterJanuary 15, 2015 at 5:01 pm #2426
Thanks for quick reply.
So you mean to say using some openDJ rest call i can set this kind of membership right?
After setting this membership would i be see association of group properly in openAM for that user.?
SohanJanuary 15, 2015 at 5:51 pm #2427
any changes performed externally should be visible for OpenAM as long as the directory server supports the persistent search control.
Just to clarify: it is _possible_ to add group members with the new REST endpoint (/json/users/<username>), it’s just a bit more difficult than expected. Using the legacy REST endpoints (/identity/json/update) it should be simpler (though then the request parameters can easily give you a headache).
PeterJanuary 16, 2015 at 8:32 am #2431
Thanks Peter for help.
I will see how it is doable. For workaround now i will assign All Authenticated users limited set of privileges where as users in my admin group will have permissions to create/delete/updates .
SohanJanuary 16, 2015 at 8:37 am #2432
It is always a bad idea to assign privileges to All Authenticated Users, if it’s possible don’t do it.January 16, 2015 at 9:32 am #2433
I agree, but there are cases where our some users will be able see only users or groups names, not able to modify them.
Read-only kind of permission wont hamper i guess.
SohanJanuary 16, 2015 at 9:51 am #2434
I still wouldn’t recommend doing it. But anyways, I don’t see how your original question about group membership assignment relates to assigning read-only privileges to all authenticated users..January 16, 2015 at 9:56 am #2435
I had an idea to create group from openAM console and assign some limited set of privileges to it.
Later on when i add the users to that group which has limited set of permissions would also get similar privileges. But as the association is not happening via add group rest call to openAM properly users cant have those privileges.
So now for all authenticated users i will have just retrieve permissions whereas i have my own other admin group which have more privileges.
So only users in my admin group will have all set of permissions but rest only authenticated will have read only kind of permissions.
SohanJanuary 16, 2015 at 12:05 pm #2442
At best this should be a temporary solution really. You should sort out the group assignment problem (one way or another) and then users member of the privileged group should be able to perform their privileged tasks just fine without providing extra access to every single logged in user.January 16, 2015 at 3:54 pm #2446
Would it be possible to update my openDJ schema that updates the read only attribute to read/write.?
I am searching for similar operation on ldap schema.
I want to update isMemberOf attribute with write permission too.
Can you help me on this ?
SohanJanuary 16, 2015 at 3:57 pm #2447
That is NOT how you should resolve this problem. Again, isMemberOf is a virtual attribute, its value is calculated based on group membership information stored all across the directory (static/dynamic/etc group memberships). For example if you modify the isMemberOf attribute to point to a dynamic group how should DJ really make sure that the user really fulfills the dynamic group’s memberUrl?
To add a user to a static group, you’ll need to modify the group entry and add the user’s DN to the member or uniqueMember attribute.
You must be logged in to reply to this topic.