AMBARI-2622. ldap users cannot be elevated to be Ambari admin (Myroslav via mahadev)

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -649,6 +649,7 @@ public class Configuration {
         (LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT));
     ldapServerProperties.setUsernameAttribute(properties.
         getProperty(LDAP_USERNAME_ATTRIBUTE_KEY, LDAP_USERNAME_ATTRIBUTE_DEFAULT));
+
     ldapServerProperties.setGroupBase(properties.
         getProperty(LDAP_GROUP_BASE_KEY, LDAP_GROUP_BASE_DEFAULT));
     ldapServerProperties.setGroupObjectClass(properties.
@@ -662,6 +663,15 @@ public class Configuration {
     ldapServerProperties.setGroupSearchFilter(properties.getProperty(
         LDAP_GROUP_SEARCH_FILTER_KEY, LDAP_GROUP_SEARCH_FILTER_DEFAULT));
 
+    if (properties.containsKey(LDAP_GROUP_BASE_KEY) ||
+        properties.containsKey(LDAP_GROUP_OBJECT_CLASS_KEY) ||
+        properties.containsKey(LDAP_GROUP_MEMEBERSHIP_ATTR_KEY) ||
+        properties.containsKey(LDAP_GROUP_NAMING_ATTR_KEY) ||
+        properties.containsKey(LDAP_ADMIN_GROUP_MAPPING_RULES_KEY) ||
+        properties.containsKey(LDAP_GROUP_SEARCH_FILTER_KEY)) {
+      ldapServerProperties.setGroupMappingEnabled(true);
+    }
+
     return ldapServerProperties;
   }
 

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java

@@ -19,6 +19,7 @@ package org.apache.ambari.server.security.authorization;
 
 import com.google.inject.Inject;
 import com.google.inject.persist.Transactional;
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
@@ -55,45 +56,56 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
   }
 
   @Override
-  @Transactional
   public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
     log.info("Get roles for user " + username + " from local DB");
 
-    UserEntity user = null;
+    UserEntity user;
 
     user = userDAO.findLdapUserByName(username);
 
     if (user == null) {
       log.info("User " + username + " not present in local DB - creating");
 
-      UserEntity newUser = new UserEntity();
-      newUser.setLdapUser(true);
-      newUser.setUserName(username);
-
-      //Adding a default "user" role
-      addRole(newUser, configuration.getConfigsMap().
-          get(Configuration.USER_ROLE_NAME_KEY));
+      createLdapUser(username);
+      user = userDAO.findLdapUserByName(username);
     }
 
-    user = userDAO.findLdapUserByName(username);
-
-    //Adding an "admin" user role if user is a member of ambari administrators
-    // LDAP group
-    Boolean isAdmin =
-        (Boolean) userData.getObjectAttribute(AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY);
-    if ((isAdmin != null) && isAdmin) {
-      log.info("Adding admin role to LDAP user " + username);
-      addRole(user, configuration.getConfigsMap().
-          get(Configuration.ADMIN_ROLE_NAME_KEY));
-    } else {
-      removeRole(user, configuration.getConfigsMap().
-          get(Configuration.ADMIN_ROLE_NAME_KEY));
+    //don't remove admin role from user if group mapping was not configured
+    if (configuration.getLdapServerProperties().isGroupMappingEnabled()) {
+      //Adding an "admin" user role if user is a member of ambari administrators
+      // LDAP group
+      Boolean isAdmin =
+          (Boolean) userData.getObjectAttribute(AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY);
+      if ((isAdmin != null) && isAdmin) {
+        log.info("Adding admin role to LDAP user " + username);
+        addRole(user, configuration.getConfigsMap().
+            get(Configuration.ADMIN_ROLE_NAME_KEY));
+      } else {
+        removeRole(user, configuration.getConfigsMap().
+            get(Configuration.ADMIN_ROLE_NAME_KEY));
+      }
     }
 
-    user = userDAO.findLdapUserByName(username);
     return authorizationHelper.convertRolesToAuthorities(user.getRoleEntities());
   }
 
+  /**
+   * Creates record in local DB for LDAP user
+   * @param username - name of user to create
+   */
+  @Transactional
+  void createLdapUser(String username) {
+    UserEntity newUser = new UserEntity();
+    newUser.setLdapUser(true);
+    newUser.setUserName(username);
+
+    userDAO.create(newUser);
+
+    //Adding a default "user" role
+    addRole(newUser, configuration.getConfigsMap().
+        get(Configuration.USER_ROLE_NAME_KEY));
+  }
+
   /**
    * Adds role to user's role entities
    * Adds user to roleName's user entities
@@ -101,7 +113,8 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
    * @param user - the user entity to be modified
    * @param roleName - the role to add to user's roleEntities
    */
-  private void addRole(UserEntity user, String roleName) {
+  @Transactional
+  void addRole(UserEntity user, String roleName) {
     log.info("Using default role name " + roleName);
 
     RoleEntity roleEntity = roleDAO.findByName(roleName);
@@ -133,7 +146,8 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
    * @param user
    * @param roleName
    */
-  private void removeRole(UserEntity user, String roleName) {
+  @Transactional
+  void removeRole(UserEntity user, String roleName) {
     UserEntity userEntity = userDAO.findByPK(user.getUserId());
     RoleEntity roleEntity = roleDAO.findByName(roleName);
 

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java

@@ -25,9 +25,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
+import java.util.*;
 
 @Singleton
 /**
@@ -39,7 +37,7 @@ public class AuthorizationHelper {
    * Converts collection of RoleEntities to collection of GrantedAuthorities
    */
   public Collection<GrantedAuthority> convertRolesToAuthorities(Collection<RoleEntity> roleEntities) {
-    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(roleEntities.size());
+    Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(roleEntities.size());
 
     for (RoleEntity roleEntity : roleEntities) {
       authorities.add(new SimpleGrantedAuthority(roleEntity.getRoleName().toUpperCase()));

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java

@@ -44,8 +44,9 @@ public class LdapServerProperties {
   private String groupMembershipAttr;
   private String groupNamingAttr;
   private String adminGroupMappingRules;
-  private String groupSearchFilter;
+  private boolean groupMappingEnabled;
 
+  private String groupSearchFilter;
   private static final String userSearchFilter = "({attribute}={0})";
 
   public List<String> getLdapUrls() {
@@ -187,6 +188,14 @@ public class LdapServerProperties {
     this.groupSearchFilter = groupSearchFilter;
   }
 
+  public boolean isGroupMappingEnabled() {
+    return groupMappingEnabled;
+  }
+
+  public void setGroupMappingEnabled(boolean groupMappingEnabled) {
+    this.groupMappingEnabled = groupMappingEnabled;
+  }
+
   @Override
   public boolean equals(Object obj) {
     if (this == obj) return true;

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java

@@ -205,10 +205,12 @@ public class Users {
   public synchronized void addRoleToUser(User user, String role)
       throws AmbariException {
 
-    if (userDAO.findLdapUserByName(user.getUserName()) != null) {
+    if (configuration.getLdapServerProperties().isGroupMappingEnabled() &&
+        userDAO.findLdapUserByName(user.getUserName()) != null) {
       LOG.warn("Trying to add a role to the LDAP user"
           + ", user=" + user.getUserName());
-      throw new AmbariException("Roles are not editable for LDAP users");
+      throw new AmbariException("Ldap group mapping is enabled, " +
+          "roles for LDAP users should be managed on LDAP server");
     }
 
     UserEntity userEntity = userDAO.findByPK(user.getUserId());
@@ -239,10 +241,12 @@ public class Users {
   public synchronized void removeRoleFromUser(User user, String role)
       throws AmbariException {
 
-    if (userDAO.findLdapUserByName(user.getUserName()) != null) {
+    if (configuration.getLdapServerProperties().isGroupMappingEnabled() &&
+        userDAO.findLdapUserByName(user.getUserName()) != null) {
       LOG.warn("Trying to add a role to the LDAP user"
           + ", user=" + user.getUserName());
-      throw new AmbariException("Roles are not editable for LDAP users");
+      throw new AmbariException("Ldap group mapping is enabled, " +
+          "roles for LDAP users should be managed on LDAP server");
     }
 
     UserEntity userEntity = userDAO.findByPK(user.getUserId());

ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java

@@ -25,9 +25,11 @@ import org.apache.ambari.server.controller.ControllerModule;
 import java.util.Properties;
 
 public class InMemoryDefaultTestModule extends AbstractModule {
+  Properties properties = new Properties();
+
+
   @Override
   protected void configure() {
-    Properties properties = new Properties();
     properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "in-memory");
 //    properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "local");
     properties.setProperty(Configuration.METADETA_DIR_PATH,
@@ -42,4 +44,8 @@ public class InMemoryDefaultTestModule extends AbstractModule {
       throw new RuntimeException(e);
     }
   }
+
+  public Properties getProperties() {
+    return properties;
+  }
 }

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java

@@ -38,6 +38,8 @@ public class AuthorizationTestModule extends AbstractModule {
         "target/version");
     properties.setProperty(Configuration.OS_VERSION_KEY,
         "centos5");
+    //make ambari detect active configuration
+    properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=groups,dc=ambari,dc=apache,dc=org");
 
     try {
       install(new ControllerModule(properties));

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java

@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.dao.RoleDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.easymock.Capture;
+import org.easymock.EasyMockSupport;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.ldap.core.DirContextOperations;
+
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import static org.easymock.EasyMock.*;
+import static org.easymock.EasyMock.createMock;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
+
+  AuthorizationHelper helper = new AuthorizationHelper();
+  Configuration configuration = createMock(Configuration.class);
+  UserDAO userDAO = createMock(UserDAO.class);
+  RoleDAO roleDAO = createMock(RoleDAO.class);
+  LdapServerProperties ldapServerProperties = createMock(LdapServerProperties.class);
+  DirContextOperations userData = createMock(DirContextOperations.class);
+  UserEntity userEntity = createMock(UserEntity.class);
+
+  Set<RoleEntity> roleSetStub = new HashSet<RoleEntity>();
+  String username = "user";
+  String adminRole = "role";
+  String userRole = "userRole";
+  Map<String, String> configs = new HashMap<String, String>();
+
+  public TestAmbariLdapAuthoritiesPopulator() {
+    configs.put(Configuration.ADMIN_ROLE_NAME_KEY, adminRole);
+    configs.put(Configuration.USER_ROLE_NAME_KEY, userRole);
+
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    resetAll();
+
+    expect(configuration.getConfigsMap()).andReturn(configs).anyTimes();
+  }
+
+  @Test
+  public void testGetGrantedAuthorities_mappingDisabled() throws Exception {
+    String username = "user";
+
+    AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
+        .addMockedMethod("createLdapUser")
+        .withConstructor(
+            configuration, helper, userDAO, roleDAO
+        ).createMock();
+
+
+    expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(false).atLeastOnce();
+
+    expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce();
+
+    expect(userEntity.getRoleEntities()).andReturn(roleSetStub);
+
+    populator.createLdapUser(username);
+    expectLastCall();
+
+    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity);
+    replayAll();
+
+
+    populator.getGrantedAuthorities(userData, username);
+
+    verifyAll();
+
+  }
+
+  @Test
+  public void testGetGrantedAuthorities_mappingEnabled() throws Exception {
+
+
+    AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
+        .addMockedMethod("createLdapUser")
+        .addMockedMethod("addRole")
+        .addMockedMethod("removeRole")
+        .withConstructor(
+            configuration, helper, userDAO, roleDAO
+        ).createMock();
+
+    expect(userData.getObjectAttribute("ambari_admin")).andReturn(Boolean.TRUE).andReturn(Boolean.FALSE);
+
+    expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(true).atLeastOnce();
+
+    expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce();
+
+
+
+    expect(userEntity.getRoleEntities()).andReturn(roleSetStub).times(2);
+
+    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity).times(2);
+
+    populator.createLdapUser(username);
+    expectLastCall();
+    populator.addRole(userEntity, adminRole);
+    expectLastCall();
+    populator.removeRole(userEntity, adminRole);
+    expectLastCall();
+
+    replayAll();
+
+    //test with admin user
+    populator.getGrantedAuthorities(userData, username);
+    //test with non-admin
+    populator.getGrantedAuthorities(userData, username);
+
+    verifyAll();
+  }
+
+  @Test
+  public void testCreateLdapUser() throws Exception {
+    AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
+        .addMockedMethod("addRole")
+        .addMockedMethod("removeRole")
+        .withConstructor(
+            configuration, helper, userDAO, roleDAO
+        ).createMock();
+
+    Capture<UserEntity> createEntity = new Capture<UserEntity>();
+    Capture<UserEntity> addRoleEntity = new Capture<UserEntity>();
+
+    userDAO.create(capture(createEntity));
+    expectLastCall();
+
+    populator.addRole(capture(addRoleEntity), eq(userRole));
+    expectLastCall();
+
+    replayAll();
+
+    populator.createLdapUser(username);
+
+    verifyAll();
+
+    UserEntity capturedCreateEntity = createEntity.getValue();
+    UserEntity capturedAddRoleEntity = addRoleEntity.getValue();
+
+    assertTrue(capturedCreateEntity.getLdapUser());
+    assertEquals(username, capturedCreateEntity.getUserName());
+
+    assertEquals(capturedCreateEntity,capturedAddRoleEntity);
+
+  }
+
+
+  @Test
+  public void testAddRole() throws Exception {
+    AmbariLdapAuthoritiesPopulator populator =
+        new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO);
+
+    RoleEntity roleEntity = createMock(RoleEntity.class);
+    Set<UserEntity> userEntities = createMock(Set.class);
+    Set<RoleEntity> roleEntities = createMock(Set.class);
+
+    Capture<RoleEntity> createdRole = new Capture<RoleEntity>();
+
+    expect(roleDAO.findByName(adminRole)).andReturn(null).andReturn(roleEntity);
+    expect(roleDAO.findByName(adminRole)).andReturn(roleEntity);
+
+    roleDAO.create(capture(createdRole));
+    expectLastCall();
+
+    expect(userEntity.getUserName()).andReturn(username).anyTimes();
+    expect(userEntity.getRoleEntities()).andReturn(roleEntities).anyTimes();
+
+    expect(roleEntity.getUserEntities()).andReturn(userEntities).anyTimes();
+
+    expect(roleEntities.contains(roleEntity)).andReturn(false);
+    expect(roleEntities.contains(roleEntity)).andReturn(true);
+
+    expect(userEntities.add(userEntity)).andReturn(true);
+    expect(roleEntities.add(roleEntity)).andReturn(true);
+
+    userDAO.merge(userEntity);
+    expectLastCall().andReturn(userEntity);
+    roleDAO.merge(roleEntity);
+    expectLastCall().andReturn(roleEntity);
+
+    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity);
+    expect(userDAO.findLdapUserByName(username)).andReturn(userEntity);
+
+    userDAO.create(userEntity);
+    expectLastCall();
+
+    replayAll();
+
+    populator.addRole(userEntity, adminRole);
+    populator.addRole(userEntity, adminRole);
+
+    verifyAll();
+
+    assertEquals(adminRole, createdRole.getValue().getRoleName());
+
+  }
+
+
+  @Test
+  public void testRemoveRole() throws Exception {
+    int userId = 123;
+
+    AmbariLdapAuthoritiesPopulator populator =
+        new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO);
+
+    RoleEntity roleEntity = createMock(RoleEntity.class);
+    Set<UserEntity> userEntities = createMock(Set.class);
+    Set<RoleEntity> roleEntities = createMock(Set.class);
+
+    expect(userEntity.getUserId()).andReturn(userId);
+
+    expect(userDAO.findByPK(userId)).andReturn(userEntity);
+
+    expect(roleDAO.findByName(adminRole)).andReturn(roleEntity);
+
+    expect(userEntity.getRoleEntities()).andReturn(roleEntities);
+
+    expect(roleEntities.contains(roleEntity)).andReturn(true);
+
+    expect(userEntity.getUserName()).andReturn(username);
+
+    expect(userEntity.getRoleEntities()).andReturn(roleEntities);
+    expect(roleEntity.getUserEntities()).andReturn(userEntities);
+
+    expect(userEntities.remove(userEntity)).andReturn(true);
+    expect(roleEntities.remove(roleEntity)).andReturn(true);
+
+    expect(userDAO.merge(userEntity)).andReturn(userEntity);
+    expect(roleDAO.merge(roleEntity)).andReturn(roleEntity);
+
+    replayAll();
+
+    populator.removeRole(userEntity, adminRole);
+
+    verifyAll();
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java

@@ -17,15 +17,18 @@
  */
 package org.apache.ambari.server.security.authorization;
 
+import com.google.inject.AbstractModule;
 import com.google.inject.Guice;
 import com.google.inject.Inject;
 import com.google.inject.Injector;
 import com.google.inject.persist.PersistService;
 import org.apache.ambari.server.AmbariException;
+import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
 import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.junit.After;
 import org.junit.Before;
@@ -36,6 +39,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 import java.util.List;
+import java.util.Properties;
 
 import static org.junit.Assert.*;
 
@@ -50,14 +54,17 @@ public class TestUsers {
   protected RoleDAO roleDAO;
   @Inject
   protected PasswordEncoder passwordEncoder;
+  private Properties properties;
 
   @Before
   public void setup() throws AmbariException {
-    injector = Guice.createInjector(new InMemoryDefaultTestModule());
+    InMemoryDefaultTestModule module = new InMemoryDefaultTestModule();
+    properties = module.getProperties();
+    injector = Guice.createInjector(module);
     injector.getInstance(GuiceJpaInitializer.class);
     injector.injectMembers(this);
     users.createDefaultRoles();
-    Authentication auth = new UsernamePasswordAuthenticationToken("admin",null);
+    Authentication auth = new UsernamePasswordAuthenticationToken("admin", null);
     SecurityContextHolder.getContext().setAuthentication(auth);
   }
 
@@ -125,4 +132,59 @@ public class TestUsers {
     assertFalse(user.getRoles().contains(users.getAdminRole()));
 
   }
+
+  @Test
+  public void testPromoteLdapUser() throws Exception {
+    createLdapUser();
+
+    User ldapUser = users.getLdapUser("ldapUser");
+
+    users.promoteToAdmin(ldapUser);
+
+    ldapUser = users.getLdapUser("ldapUser");
+    assertTrue(ldapUser.getRoles().contains(users.getAdminRole()));
+
+    users.demoteAdmin(ldapUser);
+
+    ldapUser = users.getLdapUser("ldapUser");
+    assertFalse(ldapUser.getRoles().contains(users.getAdminRole()));
+
+    users.removeUser(ldapUser);
+
+    //toggle group mapping
+    properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=groups,dc=ambari,dc=apache,dc=org");
+    createLdapUser();
+
+    try {
+      users.promoteToAdmin(ldapUser);
+      fail("Not allowed with mapping on");
+    } catch (AmbariException e) {
+    }
+
+    try {
+      users.demoteAdmin(ldapUser);
+      fail("Not allowed with mapping on");
+    } catch (AmbariException e) {
+    }
+
+
+  }
+
+  private void createLdapUser() {
+    RoleEntity role = roleDAO.findByName(users.getUserRole());
+    UserEntity ldapUser = new UserEntity();
+
+    ldapUser.setUserName("ldapUser");
+    ldapUser.setLdapUser(true);
+
+    userDAO.create(ldapUser);
+
+    UserEntity userEntity = userDAO.findLdapUserByName("ldapUser");
+
+    userEntity.getRoleEntities().add(role);
+    role.getUserEntities().add(ldapUser);
+
+    userDAO.merge(ldapUser);
+    roleDAO.merge(role);
+  }
 }