0 Replies Latest reply on Aug 2, 2005 4:11 AM by lalakers

    pb with user role in LDAP

    lalakers
    lalakers Aug 2, 2005 4:11 AM

      Hi,
      I have configured JBoss to authenticate users in LDAP directory. Users are authenticated properly, but their roles aren't mirrored in JBoss. I tried many configurations in login-config.xml but it still doesn't work. Server.log contains:

      2005-08-02 07:43:42,444 DEBUG [org.jboss.ejb.plugins.LogInterceptor] SecurityException in method: public abstract java.lang.String securityejbtier.ejb.resource.ResourceManager.remove(securityejbtier.util.ResourceVO) throws java.rmi.RemoteException:
java.lang.SecurityException: Insufficient method permissions, principal=userManager, ejbName=ResourceManager, method=remove, interface=REMOTE, requiredRoles=[RemoveRole], principalRoles=[]


      principalRoles is empty, why ? Below are parts of LDAP schema and login-config.xml. Thanks for any suggestions.

      login-config.xml: 
      <application-policy name="LDAPRealm">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=People,ou=demo,o=mycompany</module-option>
 <module-option name="rolesCtxDN">ou=Roles,ou=demo,o=mycompany</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <!-- <module-option name="roleNameAttributeId"></module-option> -->
 <!-- <module-option name="roleAttributeIsDN">false</module-option> -->
 <module-option name="uidAttributeID">uniqueMember</module-option>
 <module-option name="matchOnUserDN">false</module-option>
 </login-module>
 </authentication>
</application-policy>


      LDAP ldif: 
      # OU DEFINITIONS
dn: ou=demo,o=mycompany
ou: demo
objectClass: top
objectClass: organizationalUnit

dn: ou=People,ou=demo,o=mycompany
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,ou=demo,o=mycompany
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Roles,ou=demo,o=mycompany
ou: Roles
objectClass: top
objectClass: organizationalUnit

# PEOPLE ENTRIES
dn: uid=userProducer,ou=People,ou=demo,o=mycompany
userPassword: userProducer
uid: userProducer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
initials: DF

dn: uid=loginProducer,ou=People,ou=demo,o=mycompany
userPassword: loginProducer
uid: loginProducer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
initials: GP

dn: uid=userConsumer,ou=People,ou=demo,o=mycompany
userPassword: userConsumer
uid: userConsumer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
initials: PL

dn: uid=userManager,ou=People,ou=demo,o=mycompany
userPassword: userManager
uid: userManager
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
initials: BG

# GROUPS ENTRIES
dn: cn=Users,ou=Groups,ou=demo,o=mycompany
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=userProducer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=loginProducer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=userConsumer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany
cn: Users

# ROLES ENTRIES
dn: cn=CreateRole,ou=Roles,ou=demo,o=mycompany
objectClass: top
objectClass: groupOfUniqueNames
cn: CreateRole
uniqueMember: uid=userProducer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=loginProducer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany

dn: cn=ConsultRole,ou=Roles,ou=demo,o=mycompany
objectClass: top
objectClass: groupOfUniqueNames
cn: ConsultRole
uniqueMember: uid=userConsumer,ou=People,ou=demo,o=mycompany
uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany

dn: cn=RemoveRole,ou=Roles,ou=demo,o=mycompany
objectClass: top
objectClass: groupOfUniqueNames
cn: RemoveRole
uniqueMember: uid=userManager,ou=People,ou=demo,o=mycompany


      • 1598 Views
      • Tags: