XACML Policy Locator using LDAP

 

<<  Go back to main XACML Article DASHBOARD

Availability

Starting v2.0.5.final

What is an XACML Policy Locator?

 

During decision making, the Policy Decision Point (PDP) will utilize one or more configured policy/policyset locators to obtain policies/policy sets required for making the access control decision.

 

NOTE:  A Locator is a concept used by the XACML implementation by JBoss.

 

LDAP Policy Locators

 

Even though storing the base64 encoded version of xml content as ldap attributes,  many users may be in need of using a central ldap server for all their PDPs.  In those situations, you may require the ldap policy locator.

 

As an alternative, you can define fixed policies as part of your file system where the PDP operates and keep missing attributes in the ldap.  Look for XACML Attribute Locators using LDAP.

 

Configuration

 

The following options are configurable:

  • url - The LDAP server URL to connect to
  • factory - The JNDI factory that is JDK specific such as "com.sun.jndi.ldap.LdapCtxFactory"
  • username - The username to connect to the LDAP server. This user must have search privileges
  • password - The password of the user to connect to the LDAP server
  • filter - The search filter to be used to find the entries that have a policy
  • attribute - The name of the entry's attribute containing the XACML policy in the xml format
  • searchScope - Scope of the search for entries. Default is SUBTREE
  • searchTimeLimit - Search time limit. Default is 10000 (10 seconds)

 

 

The password value can be masked using PBE. To create a masked password invoke

 

org.jboss.security.xacml.util.PBEUtils salt iterationCount password

 

When using a masked password add also the options

 

  • salt - the 8 character String
  • iterationCount - an integer

 

Those options must have the same value used for encryption.

Example

 

 

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.policy.JBossLDAPPolicyLocator">
        <ns:Option Name="url">ldap://localhost:10389</ns:Option>
        <ns:Option Name="username">cn=Directory Manager</ns:Option>
        <ns:Option Name="password">password</ns:Option>
        <ns:Option Name="filter">(objectclass=organizationalRole)</ns:Option>
        <ns:Option Name="attribute">description</ns:Option>
        <ns:Option Name="baseDN">dc=jboss,dc=org</ns:Option>
    </ns:Locator>
  </ns:Locators>
</ns:jbosspdp>

In the above configuration file, apart from the standard ldap url, username, password,  we need to look at the following:

  • filter:  we are saying that we are looking for type
(objectclass=organizationalRole) to filter the ldap entries out.
  • attribute:  description is the ldap attribute where the xml file is serialized as base64 encoded stream


Acknowledgements

Marcus Moyses for implementing this feature.