-
-
2. Re: LDAP nested groups
Hi,
Thanks for the reply, I'll try and post the schema as soon as I can...
In the meantime, does your reply imply that nested LDAP groups should work in JBoss when using security roles?
My searching in the forums also gave me the impression that it does not work and that a custom module must be written.
Thanks
C.
-- -
3. Re: LDAP nested groups
Hi,
Here it is, as promised, looks okay/standard to me (using iPlanet LDAP), but JBoss cannot find the user in the role unless they are directly in the group.
Here is the syntax I use in login-config.xml:
<application-policy name="LDAPLogin">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://myServer:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=Users,o=myPlace.org</module-option>
<module-option name="uidAttributeID">uniquemember</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="rolesCtxDN">ou=Groups,o=myPlace.org</module-option>
<module-option name="matchOnUserDN">true</module-option>
</login-module>
</application-policy>
Thanks
C.
--
dn:
objectclass: top
dn: cn=ldap://:389,dc=myServer,dc=myPlace,dc=org
cn: ldap://:389
objectclass: top
objectclass: applicationprocess
objectclass: ldapserver
<snip, snip>
dn: o=myPlace.org
objectclass: top
objectclass: organization
<snip, snip>
dn: ou=Groups,o=myPlace.org
ou: Groups
description: NT Domain Groups
objectclass: top
objectclass: organizationalunit
dn: ou=Users,o=myPlace.org
ou: Users
description: NT Domain Users
objectclass: top
objectclass: organizationalunit
dn: cn=All_OrgUnits,ou=Groups,o=myPlace.org
objectClass: top
objectClass: groupofuniquenames
cn: myOrgUnit
uniqueMember: cn=myOrgUnit,ou=Groups,o=myPlace.org
uniqueMember: uid=aSpecialUser,ou=Users,o=myPlace.org
parentid: 3
entryid: 2071
dncomp: cn=all_orgunits
dncomp: ou=groups
dncomp: o=myPlace.org
entrydn: cn=all_orgunits,ou=groups,o=myPlace.org
subschemasubentry: cn=schema
dn: cn=myOrgUnit,ou=Groups,o=myPlace.org
objectclass: top
objectclass: groupOfUniqueNames
objectclass: ntGroup
cn: myOrgUnit
uniquemember: uid=myUid,ou=Users,o=myPlace.org
<snip, snip>
dn: uid=myUid,ou=Users,o=myPlace.org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ntUser
sn: Deacon,
givenname: Joey
cn: Deacon, Joey
<snip, snip>
uid: myUid -
4. Re: LDAP nested groups
I'm having a little trouble lookin at the schema, but if myOrgUnit is a child of AllOrgUnits then yeah, looks like you gotta grow your own.
Check out some source code that some nice person gave me:
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ -
5. Re: LDAP nested groups
Hi,
Thanks for the reply.
Yes myOrgUnit is a child of AllOrgUnits, that was what I was meaning by 'nested groups'.
Seems strange that this doesn't exist already....
Even if I do implement the Login Module source code, won't this only work for, erm, login? What about if I have a method on a Session Bean that can only be executed by someone in the parent "AllOrgUnits" group? Or is the problem only existing with logging in? (if I can't get past the login then I cant't test this far!).
Also, is it not possible in the login-config.xml to specify something like an LDAP sub-tree search instead?
Thanks (again) for the info, *much* appreciated.
C.
-- -
6. Re: LDAP nested groups
> Yes myOrgUnit is a child of AllOrgUnits, that was
> what I was meaning by 'nested groups'.
>
> Seems strange that this doesn't exist already....
No I don't think that's strange. The LDAPLoginModule that comes with JBoss has to assume some sort of Group organization, it can't possibly cover all possible setups.
If your LDAP structures are not compatible with the provided LDAP login module, it makes sense to write your own one. Using the JBoss base class, this is very easy to do.
>
> Even if I do implement the Login Module source code,
> won't this only work for, erm, login? What about if I
> have a method on a Session Bean that can only be
> executed by someone in the parent "AllOrgUnits"
> group? Or is the problem only existing with logging
> in? (if I can't get past the login then I cant't test
> this far!).
During the login you do 2 things
- authenticate the user
- associate roles to the user.
So once you have your login module working, you'll be able to use the roles you associated during login:
-> either in the deployment descriptor (method permissions)
-> or in your code, isUserInRole(..) I think it's called (that's part of the EJB spec) -
7. Re: LDAP nested groups
Thanks for the detailed reply....and explanations
and thanks for supplying the source code in the first place.
Regards
C.
-- -
8. Re: LDAP nested groups
Hi,
Do you have also the other files imported by your JBossLDAPLoginModule.java file?
Thanks
C.
--
import ch.generali.framework.FrameworkException;
import ch.generali.framework.PropertyLoader;
import ch.generali.framework.StringTools;
import ch.generali.framework.ServiceLocator;
import ch.generali.framework.auth.FailedLoginNoSuchPrincipalException;
import ch.generali.framework.ldap.LDAPContext;
import ch.generali.framework.ldap.PasswordFactory;
import ch.generali.framework.ldap.RoleFactory; -
9. Re: LDAP nested groups
Check with the author of the code on the thread:
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ never actually used the class. I am lucky enough to be able to use the LDAP schema that the LDAPLoginModule expects.
Alan -
10. Re: LDAP nested groups
> import ...
Well, obviously I'm importing some code from utilities I've written.
You of course need to adapt this to your needs. My login module is just an example for your understanding, and won't compile as is in your project.