Cannot see group added to user when clicked on user

This topic has 11 replies, 2 voices, and was last updated 5 years, 10 months ago by Peter Major.

  • Author
    Posts
  • #2424
     sohanb
    Participant

    Hi,

    I am trying to add user to the existing group which have set of privileges. I am adding the group through rest calls.

    Here is steps what i do with my sample web application.
    Assume Group already exist with some privileges . For eg group name : my_admin_group
    1. Create User through create user rest call say , jhon => User created.
    2. Now from my application I try to add the user “jhon” to “my_admin_group” . => Used added. (i can see uniquemember attribute updated.)

    To verify all the operation is successfully I go to openAM console, login as amadmin .
    Click access control tab -> click / (Top Level Realm) -> click Subjects tab -> click Group tab.
    I click on “my_admin_group” . I click on User tab. I can see my user (“jhon”) added.

    To verify 100% , Now I click go back and click on User tab , Click on user “jhon”.
    I go to its Group tab , there I cannot see the associations of the “my_admin_group” with user jhon.
    And due to the assigned privileges to configured group as not assigned.

    When normally through openAM console we do this operation it works fine.
    I am using external opneDJ LDAP data store.
    I also want to let you know , When we create the user and add to group attribute named “isMemberOf” is set to that user. To see this I log-in on to Ldap data store it says “isMemberOf” attribute is Read Only.
    Now i cannot set this attribute thorugh rest call too. It gives me LDAP exception.

    Can you please let me know how can relate the above association.
    It will be good if someone let me know the sample curl request and json to do above operation.

    Thanks,
    Sohan

    #2425
     Peter Major
    Moderator

    Hi,

    the sad answer is that you shouldn’t really attempt use the new /json/* endpoints to perform group membership related operations as they are not really working too well in 11.0.x (and potentially in 12.0.0).
    isMemberOf is a virtual attribute, hence any attempt of changing its value shall result in an LDAP error result, so that is very much expected. I assume you are trying to add a user to a static group, to do that you would need to modify the static group with a PUT request, where the JSON payload would include the uniqueMember (FYI the recommendation is to not use groupOfUniqueNames btw, see http://opendj.forgerock.org/opendj-server/doc/admin-guide/index.html#static-groups ), and the attribute value would be the full DN of the user you are trying to add. Potentially you will need to list existing group members in your PUT request as well, so you won’t end up removing existing members from the group.
    In any case, you are most likely better off using some other means to manage identity data, instead of using OpenAM. Things like OpenDJ’s REST connector, or OpenDJ LDAP SDK (or well, OpenIDM’s APIs) are much more suitable for these sort of things.

    cheers,
    Peter

    #2426
     sohanb
    Participant

    Hi,

    Thanks for quick reply.
    So you mean to say using some openDJ rest call i can set this kind of membership right?
    After setting this membership would i be see association of group properly in openAM for that user.?

    Thanks,
    Sohan

    #2427
     Peter Major
    Moderator

    Hi,

    any changes performed externally should be visible for OpenAM as long as the directory server supports the persistent search control.
    Just to clarify: it is _possible_ to add group members with the new REST endpoint (/json/users/<username>), it’s just a bit more difficult than expected. Using the legacy REST endpoints (/identity/json/update) it should be simpler (though then the request parameters can easily give you a headache).

    cheers,
    Peter

    #2431
     sohanb
    Participant

    Thanks Peter for help.
    I will see how it is doable. For workaround now i will assign All Authenticated users limited set of privileges where as users in my admin group will have permissions to create/delete/updates .

    Thanks,
    Sohan

    #2432
     Peter Major
    Moderator

    It is always a bad idea to assign privileges to All Authenticated Users, if it’s possible don’t do it.

    #2433
     sohanb
    Participant

    I agree, but there are cases where our some users will be able see only users or groups names, not able to modify them.

    Read-only kind of permission wont hamper i guess.

    Thanks,
    Sohan

    #2434
     Peter Major
    Moderator

    I still wouldn’t recommend doing it. But anyways, I don’t see how your original question about group membership assignment relates to assigning read-only privileges to all authenticated users..

    #2435
     sohanb
    Participant

    I had an idea to create group from openAM console and assign some limited set of privileges to it.
    Later on when i add the users to that group which has limited set of permissions would also get similar privileges. But as the association is not happening via add group rest call to openAM properly users cant have those privileges.
    So now for all authenticated users i will have just retrieve permissions whereas i have my own other admin group which have more privileges.

    So only users in my admin group will have all set of permissions but rest only authenticated will have read only kind of permissions.

    Thanks,
    Sohan

    #2442
     Peter Major
    Moderator

    At best this should be a temporary solution really. You should sort out the group assignment problem (one way or another) and then users member of the privileged group should be able to perform their privileged tasks just fine without providing extra access to every single logged in user.

    #2446
     sohanb
    Participant

    Would it be possible to update my openDJ schema that updates the read only attribute to read/write.?
    I am searching for similar operation on ldap schema.
    I want to update isMemberOf attribute with write permission too.
    Can you help me on this ?

    Thanks,
    Sohan

    #2447
     Peter Major
    Moderator

    That is NOT how you should resolve this problem. Again, isMemberOf is a virtual attribute, its value is calculated based on group membership information stored all across the directory (static/dynamic/etc group memberships). For example if you modify the isMemberOf attribute to point to a dynamic group how should DJ really make sure that the user really fulfills the dynamic group’s memberUrl?
    To add a user to a static group, you’ll need to modify the group entry and add the user’s DN to the member or uniqueMember attribute.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?