Hi out there,

groups in Domino are located in the root of the LDAP Directory. When using LDAP for authentication, the "rolesCtxDN", authentication fails (using JBoss 4.0.1sp1)

This is my configuration, most important seems the "rolesCtxDN" module option:

<application-policy name="client-login">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
 flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://mydominosrv:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>

 <module-option name="principalDNPrefix">cn=</module-option>
 <module-option name="principalDNSuffix">,ou=myou,o=myorg</module-option>

 <module-option name="rolesCtxDN"></module-option>

 <module-option name="uidAttributeID">member</module-option>
 <module-option name="matchOnUserDN">true</module-option>

 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">false</module-option>

 </login-module>
 </authentication>
 </application-policy>

I found that (only) authentication will work using an invalid entry as (Of course the roles cannot be resolved and I get "Access denied"):

<module-option name="rolesCtxDN">dontcare</module-option>

I found at least one post here which tried this:

<module-option name="rolesCtxDN"></module-option>

But this fails and obviously kills the whole authentication config. After that I get an immediate "Login failed", not even an "access denied".

How can I use the "empty" context for the roles? There is nothing like "/" (for root directories) in LDAP. Any experience with Domino LDAP appreciated!

Any hint how to find more logging information appreciated! I already tried something like "DEBUG" for "org" categories in the log4j.xml. This gave me tons of logs, but nothing about the LDAP Authentication.

Thanks