0 Replies Latest reply on Nov 20, 2005 6:55 AM by dpocock

    LdapLoginModule troubles and fix

    dpocock
    dpocock Nov 20, 2005 6:55 AM

      Hi,

      I've used the LdapLoginModule in previous versions of JBoss and it seemed to work fine.

      I've just tried using it with multiple roles and found very weird behaviour. It would tell me that every user was in every role. With the example schema below, it would tell me that user1 is in roles `myldap-ipc', `myldap' and `myldap-admin', when he is only listed as part of `myldap'. I feel that the problem is caused by LdapLoginModule not correctly creating the filter to send to the LDAP server.

      I have created MyLdapLoginModule.java with a modified roleFilter and it works the way I would expect:

      String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
      if (uidAttrName == null)
      uidAttrName = "uid";
      String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT);
      if (roleAttrName == null)
      roleAttrName = "roles";
      StringBuffer roleFilter = new StringBuffer("(");
      roleFilter.append(uidAttrName);
      // This line commented by Daniel
      //roleFilter.append("=*)");
      //BasicAttributes matchAttrs = new BasicAttributes(true);
      String userToMatch = username;
      if (matchOnUserDN == true)
      userToMatch = userDN;

      // Added by Daniel
      roleFilter.append("=").append(userToMatch).append(")");

      Here is a sample of the login-config.xml I have been using:

      <application-policy name="myldap-policy">

      <!-- for users -->
      <login-module code="org.jboss.security.auth.spi.MyLdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">uid=</module-option>
      <module-option name="principalDNSuffix">,ou=Webusers,dc=mydomain,dc=net</module-option>
      <module-option name="rolesCtxDN">ou=Roles,dc=mydomain,dc=net</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      </login-module>

      </application-policy>

      Here is an example of my schema (filtered with sed to remove my domain and application name):

      # extended LDIF
      #
      # LDAPv3
      # base <ou=Roles,dc=mydomain,dc=net> with scope sub
      # filter: (objectclass=*)
      # requesting: ALL
      #

      # Roles, mydomain.net
      dn: ou=Roles,dc=mydomain,dc=net
      objectClass: top
      objectClass: organizationalUnit
      ou: Roles

      # myldap-ipc, Roles, mydomain.net
      dn: cn=myldap-ipc,ou=Roles,dc=mydomain,dc=net
      objectClass: top
      objectClass: groupOfNames
      description: blah
      member: uid=ipc-user,ou=Webusers,dc=mydomain,dc=net
      cn: myldap-ipc

      # myldap-admin, Roles, mydomain.net
      dn: cn=myldap-admin,ou=Roles,dc=mydomain,dc=net
      description: myldap users
      objectClass: top
      objectClass: groupOfNames
      cn: myldap-admin
      member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net

      # myldap, Roles, mydomain.net
      dn: cn=myldap,ou=Roles,dc=mydomain,dc=net
      description: Users of myldap logger
      objectClass: top
      objectClass: groupOfNames
      member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net
      member: uid=user1,ou=Webusers,dc=mydomain,dc=net
      cn: myldap

      # search result
      search: 2
      result: 0 Success

      # numResponses: 5
      # numEntries: 4

      Regards,

      Daniel

      • 2589 Views
      • Tags: