pb with user role in LDAP
lalakers Aug 2, 2005 4:11 AMHi,
I have configured JBoss to authenticate users in LDAP directory. Users are authenticated properly, but their roles aren't mirrored in JBoss. I tried many configurations in login-config.xml but it still doesn't work. Server.log contains:
2005-08-02 07:43:42,444 DEBUG [org.jboss.ejb.plugins.LogInterceptor] SecurityException in method: public abstract java.lang.String securityejbtier.ejb.resource.ResourceManager.remove(securityejbtier.util.ResourceVO) throws java.rmi.RemoteException: java.lang.SecurityException: Insufficient method permissions, principal=userManager, ejbName=ResourceManager, method=remove, interface=REMOTE, requiredRoles=[RemoveRole], principalRoles=[]
principalRoles is empty, why ? Below are parts of LDAP schema and login-config.xml. Thanks for any suggestions.
login-config.xml:
<application-policy name="LDAPRealm"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,ou=demo,o=mycompany</module-option> <module-option name="rolesCtxDN">ou=Roles,ou=demo,o=mycompany</module-option> <module-option name="roleAttributeID">cn</module-option> <!-- <module-option name="roleNameAttributeId"></module-option> --> <!-- <module-option name="roleAttributeIsDN">false</module-option> --> <module-option name="uidAttributeID">uniqueMember</module-option> <module-option name="matchOnUserDN">false</module-option> </login-module> </authentication> </application-policy>
LDAP ldif:
# OU DEFINITIONS dn: ou=demo,o=mycompany ou: demo objectClass: top objectClass: organizationalUnit dn: ou=People,ou=demo,o=mycompany ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,ou=demo,o=mycompany ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Roles,ou=demo,o=mycompany ou: Roles objectClass: top objectClass: organizationalUnit # PEOPLE ENTRIES dn: uid=userProducer,ou=People,ou=demo,o=mycompany userPassword: userProducer uid: userProducer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson initials: DF dn: uid=loginProducer,ou=People,ou=demo,o=mycompany userPassword: loginProducer uid: loginProducer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson initials: GP dn: uid=userConsumer,ou=People,ou=demo,o=mycompany userPassword: userConsumer uid: userConsumer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson initials: PL dn: uid=userManager,ou=People,ou=demo,o=mycompany userPassword: userManager uid: userManager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson initials: BG # GROUPS ENTRIES dn: cn=Users,ou=Groups,ou=demo,o=mycompany objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=userProducer,ou=People,ou=demo,o=mycompany uniqueMember: uid=loginProducer,ou=People,ou=demo,o=mycompany uniqueMember: uid=userConsumer,ou=People,ou=demo,o=mycompany uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany cn: Users # ROLES ENTRIES dn: cn=CreateRole,ou=Roles,ou=demo,o=mycompany objectClass: top objectClass: groupOfUniqueNames cn: CreateRole uniqueMember: uid=userProducer,ou=People,ou=demo,o=mycompany uniqueMember: uid=loginProducer,ou=People,ou=demo,o=mycompany uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany dn: cn=ConsultRole,ou=Roles,ou=demo,o=mycompany objectClass: top objectClass: groupOfUniqueNames cn: ConsultRole uniqueMember: uid=userConsumer,ou=People,ou=demo,o=mycompany uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany dn: cn=RemoveRole,ou=Roles,ou=demo,o=mycompany objectClass: top objectClass: groupOfUniqueNames cn: RemoveRole uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany