To start with, I would like to mention that this post is related to the following post:
For LDAP authentication to be working, I gave the following entries in distributed.properties file:
Also, I gave the following in the applicationContext-acegi-security.xml file:
The above piece of code is not working as expected - that is, all the users registered in the LDAP are able to login into the CA Release Automation web application irrespective of whether the user is part of the aforementioned "cara-users" group or not. (It means that the above mentioned entry memberOf=cn=cara-users,ou=groups,ou=devops,o=techmahindra is not taking effect). I would like to change the settings such that only members of the "cara-users" group are able to login into the CA Release Automation web application.
Not sure how to do that even after trying out various options. Your inputs are really appreciated.
I'll look into this further, but in the meantime, just to verify, I assume you're using something other than Active Directory for LDAP, hence usage of the use.general.ldap settings. Is that correct?
In addition to what James pointed out (that the config settings you are using are only for non active directory) I thought I would mention the following:
1. The integration is only for authorizing users when logging into the system. The integration has no impact on any of the imports (users and/or groups). That is handled purely by the connection details they specify during the import. After users are imported, the AD/LDAP integration is not needed for those users to login. After groups are imported, the AD/LDAP integration IS REQUIRED for users to login. The integration is used to validate that the user trying to login is a member of that LDAP/AD group.
2. Shortly after starting the nolio management service you can confirm that the ldap integration is setup correctly (or not) by searching the nolio_dm_all.log for "system user".
3. I've only seen one case where updating the other file (where you put the ca-users group) is necessary. Usually all you need to do is configure the settings in the distributed.properties file and then login with a user that was added via the import ldap group feature (via asap user administration ui).
In addition, I would like to mention the following:
Your reply is really helpful. However, my question still remains unanswered. Appreciate if you could elaborate (regarding your point number 3) on the scenario where update of the applicationContext-acegi-security.xml file was done. That is where I am facing some issues now.
Honesty, the details behind when changing that .xml file were necessary is unclear to me. The only solid detail I know for sure is that it was when they were using a non Active Directory LDAP. Can you confirm the type of LDAP Server you are using?
One note regarding your bullet point:
Note: After the ldap integration, the web and asap can use ldap authentication. But it is purely based on the "Groups" (not users) imported via Automation Studio.
The LDAP server that I am using is OpenLDAP.