1 Reply Latest reply on Mar 31, 2004 8:16 PM by starksm64

again a problem with LdapLoginModule

fauge Mar 29, 2004 9:37 AM

Hi,

I searched in the forum, and found things, but never all the correct informations somewhere. I also read the jaas-howto, but not much about ldap.
Well it's been 2 days, and I can't have the roles for my users !

First, the ldap structure:
This is the Tomcat sample schema which is exactly the structure I have here.

dc=mycompany,dc=com
|_
 ou=people
 |_
 uid=user1
 |_
 uid=user2
|_
 ou=groups
 |_
 cn=role1
 uniqueMember=uid=user1,ou=people,dc=mycompany,dc=com
 uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com
 |_
 cn=role2
 uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com

I can authenticate users (on openldap), but they never have their roles...
I'm sure about my ldap, it works nice with Tomcat.

Here is my config:

 <application-policy name="sicliRealm">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option

name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option>
 <module-option name="rolesCtxDN">ou=groups,dc=mycompany,dc=com</module-option>
 <module-option name="uidAttributeID">uniqueMember</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="matchOnUserDN">false</module-option>
 </login-module>
 </authentication>
 </application-policy>

I tried so many combinations, but never had any roles on a user.
So my first question is, what's wrong ? how should I setup the LdapLoginModule ?

My second problem is with Oracle OID, it needs authentification before any ldap access.
I tried those properties (found somewhere in the forum) but nothing changed:

<module-option name="java.naming.security.principal">uid=user1,ou=people,dc=mycompany,dc=com</module-option>
<module-option name="java.naming.security.credentials">user1Pass</module-option>

How to be authenticated ?

Thanks a lot,
Frederic

1. Re: again a problem with LdapLoginModule

starksm64 Mar 31, 2004 8:16 PM (in response to fauge)
The LdapLoginModule does not support your roles schema. It expects a schema like the following:

dc=mycompany,dc=com |_ ou=people |_ uid=user1 |_ uid=user2 |_ ou=groups |_ uniqueMember=uid=user1,ou=people,dc=mycompany,dc=com +role=role11,role=role12 |_ uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com +role=role21,role=role22

Write your own variation that changes the ldap query for the roles.
Actions