-
1. Re: LdapLoginModule Source?
nuanda Sep 19, 2001 7:39 PM (in response to jpvasquez)JP,
Yeah they didn't pack the source up with the 2.4 release (although the binaries are there obviously)...tho you can check out the JBoss CVS repository to view it. Try:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jbosssx/src/main/org/jboss/security/auth/spi/
option-key I would imagine is referring to the option=value pairs in the auth.conf that you need to setup for your application's configuration block.
eg:
org.jboss.security.plugins.samples.LdapLoginModule required
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
principalDNPrefix=uid=
uidAttributeID=userid
blah..blah... -
2. Re: LdapLoginModule Source?
jpvasquez Sep 19, 2001 8:53 PM (in response to jpvasquez)Thanks for the info--it was helpful to see that source, although I'm not very experienced with JAAS yet. I'm still getting this problem about the "expected 'option key'"
Here's what my auth.conf looks like right now:...default auth.conf above here... // the case for an unuathenticated web client or MDB. If you don't want to // allow such users to be authenticated remove the property. org.jboss.security.auth.spi.UsersRolesLoginModule required unauthenticatedIdentity="nobody"; }; testLdap { org.jboss.security.plugins.samples.LdapLoginModule required java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory principalDNPrefix=mydnprefix principalDNSuffix=mydnsuffix uidAttributeName=uniquemember uidAttributeID=uid roleAttributeID=cn rolesCtxDN=rolesctxdnval java.naming.provider.url=ldap://ldaphost:ldapport/ java.naming.security.authentication=simple ; };
Here's what the error looks like:java.lang.SecurityException: Configuration Error: Line 222: expected 'option key', found 'null' RequestURI=/ldaptest/secure
The weird thing is that the "Line number" starts at 37, and grows by exactly 37 each time I hit refresh (I'm trying to make this work via a browser with the server protecting a directory)
If it's referring to line numbers in auth.conf, then line 37 is the line that sets up the java.naming.factory.initial value. (There's only 47 lines in the file, so the other line numbers are bogus)
Any ideas on this? -
3. Re: LdapLoginModule Source?
nuanda Sep 19, 2001 10:12 PM (in response to jpvasquez)My configuration block is:
ldap {
// LDAP authentication
au.xxx.yyy.security.LdapLoginModule required
ldapSearchBase="ou=people,dc=xxx,dc=yyy,dc=au"
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
java.naming.provider.url="ldap://ldaphost/"
java.naming.security.authentication="simple"
;
};
Your problem is that you are not quoting your provider.url entry. The configuration parser is resolving the // in ldap://ldaphost as a comment. The good news is that your ';'s are in the right place, I misplaced one of mine and the error message was even more cryptic!
Good luck,
Dave -
4. Re: LdapLoginModule Source?
jpvasquez Sep 20, 2001 12:32 AM (in response to jpvasquez):) Thanks -- that was exactly it.
Well, I'm assuming that it all works well, but unfortunately, nothing is ever easy. Our company has set up our LDAP directory so that it is impossible to search it without a special account. (i.e, the user that binds to the directory to test the authentication can't search the groups branch to see what roles they are in).
So, I have an "admin" dn and credential that I'll need to use when doing the search for matching roles. Authentication is working great -- role matching is what is failing now. After looking at the source, this doesn't look like it would be too difficult to do -- if I can check out the CVS module, I'll probably take a crack at it.
Do other companies do this? Would it be worth merging these changes back into into the LdapLoginModule as optional attributes?
Anyway, thanks for all the help so far! -
5. Re: LdapLoginModule Source?
nuanda Sep 20, 2001 1:06 AM (in response to jpvasquez)Nod, our LDAP schema is a little odd in that a user's id does not form part of their DN. So we just subclassed UsernamePasswordLoginModule for our custom LdapLoginModule, using the default JBoss example as a guide. Easy enough, not sure if it's worth contributing into the JBoss source tree since everyone's LDAP directory is going to have it's own peculiarities...
-
6. Re: LdapLoginModule Source?
jpvasquez Sep 20, 2001 1:54 AM (in response to jpvasquez)I just got this working. If anybody wants it, the patch is pretty simple. (Unfortunately, I can't get at cvs and diff tools tonight)
Add two new class level variables:private static final String ADMIN_DN_OPT = "adminDN"; private static final String ADMIN_PWD_OPT = "adminPassword";
In the if block where the query for the roles begins, add this:... if( rolesCtxDN != null ) { String adminDN = (String) options.get(ADMIN_DN_OPT); //Start Here if ( adminDN != null ) { env.setProperty(Context.SECURITY_PRINCIPAL, adminDN); String adminPwd = (String) options.get(ADMIN_PWD_OPT); env.setProperty(Context.SECURITY_CREDENTIALS, adminPwd); ctx = new InitialLdapContext(env, null); } //End Here String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT); ...
Now in the configuration file, you just have to add two new name value pairs called adminDN and adminPassword.
(This update just rebinds with the LDAP server with the priveleged user's credentials before the search takes place) -
7. Re: LdapLoginModule Source?
jpvasquez Sep 20, 2001 1:56 AM (in response to jpvasquez)woops...that didn't get the last little update that's in my real code....you should probably call ctx.close() somewhere before calling the new InitialContext for safety's sake...