Securing FlexDeploy using LDAP server

FlexDeploy previously supported Active Directory and other LDAP servers for user authentication. Now with FlexDeploy 3.1, we have added capability to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. You will still configure FlexDeploy groups with finer grained permissions to various objects and/or projects using FlexDeploy UI. This is extremely simple process and I will demostrate it using WebLogic Embedded LDAP server, but this can be used with Active Directory and other LDAP servers as well.

Let’s first look at two FlexDeploy groups. “FD Administrators” is administrator group and it has access to all functionality of FlexDeploy. This is seeded group, but you can create other administrative groups as well if desired.

FDAdministratorsPermissions“FD Operators” is group that I have created in my installation, to support users from Operations team. They should be able to approve tasks associated with deployment requests and in addition they can control approval and scheduling requirements.

FDOperatorsPermissionsNow let’s add Realm for users defined in WebLogic Embedded LDAP server.

See image below for details on how this realm is configured in FlexDeploy. Please reference to enable connectivity to WebLogic Embedded LDAP.

RealmConfigIn order to setup Group mapping, select Group Mapping tab. Select specific group in External Groups and shuttle desired FlexDeploy groups to Mapped FlexDeploy Groups. See image below, where I have mapped Administrators to FD Administrators and Operators to FD Operators.

GroupMappingRealm configuration changes requires recycle of FlexDeploy server process. Once realms is operational, you can continue to change Group Mapping information without any recycles.

Let’s look at our test users. fdoperator1 is user defined in WebLogic Embedded LDAP and it has Operators group, which is also assigned in WebLogic Embedded LDAP.

fdoperator1userWhen you login for first time with user defined in external realm, you will be prompted to enter details like First and Last name, email and notification preferences etc. At this point, fdoperator1 user only has one group Operators in WebLogic Embedded LDAP. At login time, FlexDeploy will use Operators group and find mapped FlexDeploy group which is “FD Operators” and hence fdoperator1 will only see specific parts of UI. See below.

operatorviewYou can have more than one realm in FlexDeploy and there is already internal realm based in FlexDeploy database. fdadmin is user defined in internal realm, which is assigned to “FD Administrators” group. fdadmin will see all features in FlexDeploy UI as it is assigned with administrative group. See below.

administratorviewWhen you have more than one realm defined in FlexDeploy, first successful authentication wins and groups are derived from that Realm if Group mapping is enabled on that realm. Group assigned in FlexDeploy internal realm are always used, so if you wanted to provide additional groups to users defined in external realm, you can do that in FlexDeploy – Users screen.

FlexDeploy 3.1 uses memberOf virtual attribute to derive User’s groups. You can use Microsoft Active Directory or Oracle Internet Directory as well for group mappings as described in this blog entry as both support memoberOf attribute.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top