Help - can't access user roles in LDAP
cane74 Mar 12, 2004 10:41 AMHi.
I have configured JBoss to authenticate users in LDAP directory. Users are authenticated properly, but their roles aren't mirrored in JBoss. I tried many configurations in login-config.xml but it still doesn't work. Server.log contains such entries after user login:
2004-03-12 16:44:20,953 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@ef9d00 2004-03-12 16:44:20,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'fsmith' authenticated, loginOk=true 2004-03-12 16:44:20,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true 2004-03-12 16:44:20,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.iqweb] updateCache, subject=Subject: Principal: fsmith Principal: Roles(members)
Below are parts of LDAP schema and login-config.xml. Thanks for any suggestions.
Best regards,
Bart
login-config.xml:
<application-policy name="iqweb"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://magnat/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=iqtech,dc=pl</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=iqtech,dc=pl</module-option> <module-option name="matchOnUserDN">true</module-option> <!-- false also doesn't work --> <module-option name="uidAttributeID">uniqueMember</module-option> <module-option name="roleAttributeID">cn</module-option> </login-module> </authentication> </application-policy>
LDAP ldif:
# OU DEFINITIONS # People OU - for holding records of all individuals dn: ou=People,dc=iqtech,dc=pl ou: People objectClass: top objectClass: organizationalUnit # Groups OU - for holding records of groupings of individuals dn: ou=Groups,dc=iqtech,dc=pl ou: Groups objectClass: top objectClass: organizationalUnit # Roles OU - for holding records of roles and the groups to which those roles have been assigned dn: ou=Roles,dc=iqtech,dc=pl ou: Roles objectClass: top objectClass: organizationalUnit # PEOPLE ENTRIES dn: uid=lrussell,ou=People,dc=iqtech,dc=pl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Russell cn: Luc uid: lrussell userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y= mail: lrussell@sample.com dn: uid=jbloggs,ou=People,dc=iqtech,dc=pl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Bloggs cn: Joe uid: jbloggs userpassword: no3XJAZeeb9AKbGNY65/masWpZE= mail: jbloggs@sample.com dn: uid=fsmith,ou=People,dc=iqtech,dc=pl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Smith cn: Fred uid: fsmith userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE= mail: fsmith@sample.com # GROUPS ENTRIES dn: cn=Users,ou=Groups,dc=iqtech,dc=pl objectClass: top objectClass: groupOfUniqueNames cn: Users uniqueMember: uid=jbloggs,ou=People,dc=iqtech,dc=pl uniqueMember: uid=fsmith,ou=People,dc=iqtech,dc=pl dn: cn=Member_admins,ou=Groups,dc=iqtech,dc=pl objectClass: top objectClass: groupOfUniqueNames cn: Member_admins uniqueMember: uid=lrussell,ou=People,dc=iqtech,dc=pl dn: cn=Everyone,ou=Groups,dc=iqtech,dc=pl objectClass: top objectClass: groupOfUniqueNames cn: Everyone uniqueMember: uid=jbloggs,ou=People,dc=iqtech,dc=pl uniqueMember: uid=fsmith,ou=People,dc=iqtech,dc=pl uniqueMember: uid=lrussell,ou=People,dc=iqtech,dc=pl # ROLES ENTRIES dn: cn=Authenticated_users,ou=Roles,dc=iqtech,dc=pl objectClass: top objectClass: groupOfUniqueNames cn: Authenticated_users uniqueMember: cn=Everyone,ou=Groups,dc=iqtech,dc=pl dn: cn=Member_admin,ou=Roles,dc=iqtech,dc=pl objectClass: top objectClass: groupOfUniqueNames cn: Member_admin uniqueMember: cn=Member_admins,ou=Groups,dc=iqtech,dc=pl