3 Replies Latest reply on Aug 30, 2004 11:37 AM by zparticle

[LdapLoginModule] Problem when principalDNSuffix = rolesCtxD

ottoberg Aug 27, 2004 5:21 AM

I have to authenticate and authorize users against the following LDAP schema:

o=myCorp,c=DE ---
 |
 ---> ou=Users,... ---
 |
 ---> uid=joedev...
 uid: uid=joedev,ou=Users,...
 realName: Joe Develop
 memberOf: role1
 memberOf: role2
 userPassword: xZ...jk=

What makes this different from the example configuration to be found in AdminDevel_323.pdf - which I have been studying inside out - is that a user's roles are stored in the same node as the user himself.

My realm definition thus far is

<login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
 <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name = "java.naming.security.authentication">simple</module-option>
 <module-option name = "java.naming.provider.url">ldap://localhost:389/</module-option>
 <module-option name = "principalDNPrefix">uid=</module-option>
 <module-option name = "principalDNSuffix">,ou=Users,o=myCorp,c=DE</module-option>
 <module-option name = "uidAttributeID">uid</module-option>
 <module-option name = "matchOnUserDN">false</module-option>
 <module-option name = "allowEmptyPasswords">false</module-option>
 <module-option name = "hashAlgorithm">SHA-1</module-option>
 <module-option name = "hashCharset">UTF-8</module-option>
 <module-option name = "hashEncoding">base64</module-option>
 <module-option name = "rolesCtxDN">ou=Users,o=myCorp,c=DE</module-option>
 <module-option name = "roleAttributeID">memberOf</module-option>
</login-module>

Using this config under JBoss 3.2.1 I succeeded in authenticating user joedev, but failed to assert his roles role1, role2, ... . I have been studying the source code for LdapLoginModule and have tracing for org.jboss.security enabled, so I know that my module-options are passed in as intended. Still JBoss fails to find the roles stored in the memberOf attribute. Any help would be greatly appreciated.

On a different note: studying the LdapLoginModule source I notice that for the roles search to succeed at all the value of the uidAttributeId attribute (uid) must be the authenticated user's full DN (principalDNPrefix + joedev + principalDNSuffix), NOT just his username (joedev) as I would have expected. Is this behaviour intended?

Regards,

Olaf Bergner

1. Correction: [LdapLoginModule] Problem when principalDNSuffix

ottoberg Aug 27, 2004 5:26 AM (in response to ottoberg)

Forget the afterthought about the uidAttributeId's value which must be set to the user's full DN. This is of cource only true if matchOnUserDN is set to true.

Still I wonder why authorization fails.

Regards,

Olaf Bergner
Actions
2. Re: [LdapLoginModule] Problem when principalDNSuffix = roles

starksm64 Aug 27, 2004 7:45 PM (in response to ottoberg)

The search used by the LdapLoginModule for roles is restricted to just one level below the named context. Therefore, your schema does not match its expectations since the context with the roles is under ou=Users,o=myCorp,c=DE more than one level deep. A generalization to allow subtree searches would be needed to support your schema.
Actions
3. Re: [LdapLoginModule] Problem when principalDNSuffix = roles

zparticle Aug 30, 2004 11:37 AM (in response to ottoberg)

I had a similar problem please see if the code I posted in http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53499 will help you out.
Actions

Go to original post