3 Replies Latest reply on Jun 17, 2003 6:37 PM by amishguy

    LDAP sub queries with LdapLoginModule

    amishguy
    amishguy Jun 11, 2003 11:53 AM

      Hi there,

      I was wondering if it is possible to do LDAP subqueries
      when using LDAP authentication with JBoss?

      In my case, Users has several subgroups like "Marketing", "Sales", "Business Development", etc. Actual account names are defined within these subgroups, so I want the query to search within all of them for the specified user. I know I can get around this by 'flattening' my LDAP schema (getting rid of the subgroups), but I'd rather not.

      My login-config.xml has an entry similar to the following. Note the full LDAP query should be something like:

      ou=Users,dc=corp,dc=foo,dc=com??sub?(cn=Amish Guy)

      I've been able to get LDAP authentication working, thanks to this forum, but only if I make the query specific to a subgroup (i.e. add in an ou=Marketing). Currently I'm using objectClass=user as the role, but I'll be changing this shortly.

      Thanks for everyone's help so far! :)

      =============================
      <application-policy name = "myApp">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag = "required" >
      <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name = "java.naming.provider.url">ldap://ldapHost:389/</module-option>
      <module-option name = "java.naming.security.authentication">simple</module-option>
      <module-option name = "principalDNPrefix">ou=Users,dc=corp,dc=foo,dc=com??sub?(cn=</module-option>
      <module-option name = "principalDNSuffix">)</module-option>
      <module-option name = "uidAttributeID">cn</module-option>
      <module-option name = "uidAttributeName">name</module-option>
      <module-option name = "rolesCtxDN">ou=Users,dc=corp,dc=foo,dc=com</module-option>
      <module-option name = "roleAttributeID">objectClass</module-option>
      </login-module>

      </application-policy>

      • 1563 Views
      • Tags:
        • 1. Re: LDAP sub queries with LdapLoginModule
          amishguy
          amishguy Jun 13, 2003 12:41 PM (in response to amishguy)

          Problem solved. I used BrowseLdapLoginModule.java, and pointed it where I wanted the search to start (i.e. Users level). Works great! :)

            • Actions
          • 2. Re: LDAP sub queries with LdapLoginModule
            mls3
            mls3 Jun 16, 2003 2:35 PM (in response to amishguy)

            Can you elaborate on the BrowseLdapLoginModule? I can not find any documentation on that class.

              • Actions
            • 3. Re: LDAP sub queries with LdapLoginModule
              amishguy
              amishguy Jun 17, 2003 6:37 PM (in response to amishguy)

              Sure thing! Here's the source code (NOT mine):

              http://www.boxerboxes.ca/JBoss_Ldap.html

              Basically I just (note, this is for Win32):
              1) Downloaded the JBoss 3.2.1 source code
              2) Dropped BrowseLdapLoginModule.java into <jboss_src_dir>/security/src/security/src/main/org/jboss/security/auth/spi/
              3) Ran <jboss_src_dir>/security/build.bat
              4) Copied <jboss_src_dir>/security/output/lib/jbosssx.jar
              into $JBOSS_HOME/server/default/lib/ and $JBOSS_HOME/server/all/lib/

              The source code has a snippet of what to put in your login-config.xml file. Once I got stuff compiled and up, it wasn't long before it worked perfectly.

              Have fun, and if you need more help - just post :)
              A.G.

                • Actions