3 Replies Latest reply on Aug 8, 2002 1:20 PM by ukamath

ldap security,any help appreciated

ukamath Aug 7, 2002 3:19 PM

Hi on the iPlanet directory server i added users in ou=People and added a group in the ou=Groups. Then added the user in teh memeber of the Groups and my auth.conf looks like
OMSLDAP {
org.jboss.security.plugins.samples.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
principalDNPrefix="uid="
principalDNSuffix=",ou=People,dc=eidea,dc=com"
rolesCtxDN="ou=Groups,dc=eidea,dc=com"
roleAttributeID="cn"
uidAttributeID="uniquemember"
java.naming.provider.url="ldap://ares.eidea.com:389/"
java.naming.security.authentication="simple"
matchOnUserDN=true
;
};

yet when i run i get this error
[OM] Logging into LDAP server, env={java.naming.factory.initial=
com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=uid=, java.naming.security.p
rincipal=uid=UKamath,ou=People,dc=eidea,dc=com, roleAttributeID=cn, matchOnUserD
N=true, principalDNSuffix=,ou=People,dc=eidea,dc=com, rolesCtxDN=ou=Groups,dc=ei
dea,dc=com, java.naming.provider.url=ldap://ares.eidea.com:389/, uidAttributeID=
uniquemember, java.naming.security.authentication=simple, java.naming.security.c
redentials=kamath}
[OM] Logged into LDAP server, javax.naming.ldap.InitialLdapConte
xt@6c9f0f
[OM] Insufficient method permissions, principal=UKamath, method=
create, requiredRoles=[omsuser]

Has anyone faced this problem...please share if u know the problem
Thanks
Uday

1. Re: ldap security,any help appreciated

jwkaltz Aug 8, 2002 5:25 AM (in response to ukamath)

> yet when i run i get this error
(...)
> [OM] Insufficient method permissions,
> principal=UKamath, method=
> create, requiredRoles=[omsuser]

You don't provide much information (such as, what is it you are trying to run), but judging from the error message, my best guess is :
you're calling ejb create(), and you deployed the ejb with security constraints specifying that its methods (or at least its create method) requires the user to be in the role omsuser. And the user who is logging in is not in that role.
Actions
2. Re: ldap security,any help appreciated

ukamath Aug 8, 2002 10:53 AM (in response to ukamath)

Thanks for your reply on Jboss, i ma writing the mail to your accoutn as i found no one replies except some pople like you, so please i would be obliged if you spend 2 minutes and see if i am doing something wrong.
1. My Server is Jboss(2.2.2, not 3.0 because of soem transaction problems and not 2.4.* becuase of classloader problems between mbeans and deployed beans) and my directory is
iPlane 5.1
2. I ahve my directory structure as
com
eidea
ou=People
cn=UKamath

ou=Groups
cn=omsuser
uniquemember=UKamath
I added allthis using iPlanet console.

3. My auth.conf looks like

OMSLDAP {
org.jboss.security.plugins.samples.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
principalDNPrefix="uid="
principalDNSuffix=",ou=People,dc=eidea,dc=com"
rolesCtxDN="ou=Groups,dc=eidea,dc=com"
roleAttributeID="cn"
uidAttributeID="uniquemember"
java.naming.provider.url="ldap://ares.eidea.com:389/"
java.naming.security.authentication="simple"
matchOnUserDN=true
unauthenticatedIdentity="nobody"
;
};

4. My ejb is a session bean with one method (for testing) needing security at create and at the method and the role is "omsuser".

5. When i login at client using CLientLoginModule giving userid (UKamath) and password, the server says the user doesn't have the role of omsuser.

6. Either i am not setting the directory with right stuff or my auth.conf needs a small change as it logs on but no role mapping?

Please help
Uday
Actions
3. I figured it out

ukamath Aug 8, 2002 1:20 PM (in response to ukamath)

I wrote my own custom ldap login module to do that and was sucessful..
UDay
Actions

Go to original post