authenticating to LDAP on an Apple Xserve?
kerneljack Mar 14, 2005 12:29 PMHi, I'm currently using JBoss-2.4.4 and am trying to log in to the LDAP server on an Apple XServe machine. I'm a newcomer to LDAP and I don't understand what I'm doing wrong.
I'm using the org.jboss.security.ClientLoginModule on the client side to login, and on the server side I have defined the following in auth.conf:
myldap {
org.jboss.security.auth.spi.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
java.naming.provider.url="ldap://192.168.2.25:389"
java.naming.security.authentication="simple"
principalDNPrefix="uid="
principalDNSuffix=",cn=users,dc=localdomain"
matchOnUserDN="true"
rolesCtxDN="cn=groups,dc=localdomain"
roleAttributeName="memberUid="
roleAttributeIsDN="false"
;
};
I've tried many different combinations of these values and I think I have managed to log in with the principal, but roles are not working. I get the following error each time I try to log in:
[ERROR,SecurityInterceptor] Insufficient method permissions, principal=admin2, method=create, requiredRoles=[Staff], principalRoles=[]
This seems to suggest that my roles are not being mapped. I am attaching the 'users' and 'group' snippets of the Xserve's schema which I exported to LDIF:
FOR the USERS:
dn: cn=users, dc=localdomain
objectClass: container
cn: users
dn: uid=admin2, cn=users, dc=localdomain
apple-user-homeurl: <home_dir>afp://192.168.2.25/Usersadmin2
</home_dir>
apple-generateduid: 964B2758-6896-11D9-81D5-000393BB05EC
sn: 99
userPassword:: xxxxxxxxx
loginShell: /bin/bash
uidNumber: 1025
gidNumber: 20
authAuthority: ;ApplePasswordServer; xxxxxxxxxx root@server.localdomain:192.168.2.25
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
uid: admin2
cn: admin2
homeDirectory: /Users/admin2
FOR the GROUPS:
dn: cn=groups, dc=localdomain
objectClass: container
cn: groups
dn: cn=clientservices, cn=groups, dc=localdomain
gidNumber: 1025
memberUid: someone
memberUid: admin2
apple-group-realname: clientservices
apple-generateduid: A5D8329C-6897-11D9-81D5-000393BB05EC
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
cn: clientservices
As you can see from the Exception, I am trying to log in as 'admin2' and 'admin2' is a member of the 'clientservices' group, however, it does not seem to be able to find this mapping.
I am also confused as to whether I should be 'authenticating' using this method, or can I merely create an InitialContext using the LDAP server from within my code, give it the credentials and login successfully? If I do this, I suppose I will lose the benefit of declarative security on the server side won't I? i.e. I think I will then have to manage method level permissions myself?
Any help appreciated, thanks,
Khusro