3 Replies Latest reply on Nov 26, 2001 2:58 PM by seanxue

How to config Ladp server for Ladp JAAS?

seanxue Nov 14, 2001 2:04 PM

Hi everybody,

After setup LdapLoginModule, I can see my input username and password be authenticated. But I don't know how to set up LDAP server to get roles names?

Has anyone done this before? Please give me some hints.

Thanx.

Sean

1. Re: How to config Ladp server for Ladp JAAS?

spuddy Nov 14, 2001 11:22 PM (in response to seanxue)

Sean,

I have just recently got this thing working.
My setup is:
- using iPlanet LDAP 5.0
- have a basename dc=foobar,dc=com
- I have a people node:
dn: ou=People,dc=foobar,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
- I have a group node:
dn: ou=Groups,dc=cortexeb,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups

I have been puting people under the People node with
objectclass=inetorgperson. And the naming attribuite
as uid. So my entry might be:

dn: uid=matt,ou=People, dc=foobar,dc=com
mail: matt@foobar.com.au
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
givenName: Matt
cn: Matt Quail
uid: matt
sn: Quail

I then have a group like this:

dn: cn=GoodUsers,ou=Groups, dc=foobar,dc=com
description: people who can the system
objectClass: top
objectClass: groupofuniquenames
cn: CorTimeUsers
uniqueMember: uid=matt,ou=People, dc=foobar,dc=com
uniqueMember: uid=fred,ou=People, dc=cortexeb,dc=com

You can see that 'matt' and 'fred' are in that group, via the 'uniqueMemeber' attribute.

My auth.conf looks like this:
----
cortime {
org.jboss.security.plugins.samples.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
principalDNPrefix="uid="
principalDNSuffix=",ou=People,dc=foobar,dc=com"
rolesCtxDN="ou=Groups,dc=foobar,dc=com"
roleAttributeID="cn"
uidAttributeID="uniquemember"
java.naming.provider.url="ldap://myldapserver:6363/"
java.naming.security.authentication="simple"
matchOnUserDN=true
;
};
----

I can then use the "GoodUsers" group in my servlet
web.xml (as a security "role") or in my ejb
deployment descriptor.

NOTE: this is for a JBoss 2.4.3 installation. The above
won't work on 2.2.x because "matchOnUserDN" is not
supported. But this is important to get it working with my schema.
To see why, see this CVS diff:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jbosssx/src/main/org/jboss/security/auth/spi/LdapLoginModule.java.diff?r1=1.1.4.2&r2=1.1.4.3

Hope this helps, let me know if you need more clarification.
Actions
2. Re: How to config Ladp server for Ladp JAAS?

spuddy Nov 15, 2001 12:16 AM (in response to seanxue)

Oops I got the cn in the LDIF for the group wrong. It should be:

dn: cn=GoodUsers,ou=Groups, dc=foobar,dc=com
description: people who can access the system
objectClass: top
objectClass: groupofuniquenames
cn: GoodUsers
uniqueMember: uid=matt,ou=People, dc=foobar,dc=com
uniqueMember: uid=fred,ou=People, dc=cortexeb,dc=com
Actions
3. Re: How to config Ladp server for Ladp JAAS?

seanxue Nov 26, 2001 2:58 PM (in response to seanxue)

I figured out that Ldap authorization only work with iplanet Directory Server 5. Does anyone know how to set up to work with Netscape 4.13 or 4.14?
Actions

Go to original post