LdapLoginModule troubles and fix
dpocock Nov 20, 2005 6:55 AMHi,
I've used the LdapLoginModule in previous versions of JBoss and it seemed to work fine.
I've just tried using it with multiple roles and found very weird behaviour. It would tell me that every user was in every role. With the example schema below, it would tell me that user1 is in roles `myldap-ipc', `myldap' and `myldap-admin', when he is only listed as part of `myldap'. I feel that the problem is caused by LdapLoginModule not correctly creating the filter to send to the LDAP server.
I have created MyLdapLoginModule.java with a modified roleFilter and it works the way I would expect:
String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
if (uidAttrName == null)
uidAttrName = "uid";
String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT);
if (roleAttrName == null)
roleAttrName = "roles";
StringBuffer roleFilter = new StringBuffer("(");
roleFilter.append(uidAttrName);
// This line commented by Daniel
//roleFilter.append("=*)");
//BasicAttributes matchAttrs = new BasicAttributes(true);
String userToMatch = username;
if (matchOnUserDN == true)
userToMatch = userDN;
// Added by Daniel
roleFilter.append("=").append(userToMatch).append(")");
Here is a sample of the login-config.xml I have been using:
<application-policy name="myldap-policy">
<!-- for users -->
<login-module code="org.jboss.security.auth.spi.MyLdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=Webusers,dc=mydomain,dc=net</module-option>
<module-option name="rolesCtxDN">ou=Roles,dc=mydomain,dc=net</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</application-policy>
Here is an example of my schema (filtered with sed to remove my domain and application name):
# extended LDIF
#
# LDAPv3
# base <ou=Roles,dc=mydomain,dc=net> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# Roles, mydomain.net
dn: ou=Roles,dc=mydomain,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Roles
# myldap-ipc, Roles, mydomain.net
dn: cn=myldap-ipc,ou=Roles,dc=mydomain,dc=net
objectClass: top
objectClass: groupOfNames
description: blah
member: uid=ipc-user,ou=Webusers,dc=mydomain,dc=net
cn: myldap-ipc
# myldap-admin, Roles, mydomain.net
dn: cn=myldap-admin,ou=Roles,dc=mydomain,dc=net
description: myldap users
objectClass: top
objectClass: groupOfNames
cn: myldap-admin
member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net
# myldap, Roles, mydomain.net
dn: cn=myldap,ou=Roles,dc=mydomain,dc=net
description: Users of myldap logger
objectClass: top
objectClass: groupOfNames
member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net
member: uid=user1,ou=Webusers,dc=mydomain,dc=net
cn: myldap
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Regards,
Daniel