EJB3 OpenLDAP LdapLoginModule role validation failure
EJB3 Code:
@Stateless
@SecurityDomain ("test")
@RolesAllowed("Allora-User")
public class EJBOps implements EJBOpsRemote {...}
If I do not specify the RolesAllowed, a remote client gets authenticated OK and is able to call the EJB.
With the RolesAllowed in, I get Insufficient permissions, principal=test1, requiredRoles=[Allora-User], principalRoles=[]
Not sure why the principalRoles is empty.
login-config.xml
<application-policy name="test">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="user.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
<module-option name="group.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
<module-option name="java.naming.provider.url">ldap://padymelon:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,dc=padymelon,dc=abc,dc=com</module-option>
<module-option name="rolesCtxDN">ou=Group,dc=padymelon,dc=abc,dc=com</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">5000</module-option>
</login-module>
</application-policy>
OpenLDAP Schema:
# LDIF Export for: dc=padymelon,dc=abc,dc=com
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on March 31, 2006 3:00 pm
# Server: Padymelon (localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 8
dn: dc=padymelon,dc=abc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: abc
dc: padymelon
dn: cn=admin,dc=padymelon,dc=abc,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {crypt}1VzCGZDqLJ9gk
dn: ou=Group,dc=padymelon,dc=abc,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: cn=Allora-Eng,ou=Group,dc=padymelon,dc=abc,dc=com
cn: Allora-Eng
gidNumber: 1001
memberUid: test2
objectClass: posixGroup
objectClass: top
dn: cn=Allora-User,ou=Group,dc=padymelon,dc=abc,dc=com
gidNumber: 1000
memberUid: test1
memberUid: test2
objectClass: posixGroup
objectClass: top
cn: Allora-User
dn: ou=People,dc=padymelon,dc=abc,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=test1,ou=People,dc=padymelon,dc=abc,dc=com
userPassword: {SMD5}CTQgwdPkl7p42Jt3mjbJ2WZqynM=
loginShell: /bin/false
uidNumber: 1050
gidNumber: 1010
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
uid: test1
gecos: testuser1
shadowLastChange: 13090
cn: testuser1
homeDirectory: /home/test1
dn: uid=test2,ou=People,dc=padymelon,dc=abc,dc=com
userPassword: {SMD5}HgYFdQN7wkkNxIfSmSwUtCGb2so=
loginShell: /bin/false
uidNumber: 1051
gidNumber: 1010
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
uid: test2
gecos: testuser2
shadowLastChange: 13090
cn: testuser2
homeDirectory: /home/test2