Hi all,

It's about 2 days that i'm not able to resolve this problem. I'm trying to configure jboss to work with a webapplication that actually run under tomcat 5.5, but i'm not able to to configure LdapLoginModule.
The page that should appear after login is in a protected area associated with a role "Cataloguer". This role is associated in LDAP tree, as an attribute of each users as value of field initials.

When I try to login I receive an error 403 as the user isn't in the correct role.

I trace in a public jsp request.getUserPrincipal().getName() and request.isUserInRole("Cataloguer"), and I call this page after my login. I see that the user Principal is correct but the condition isUserInRole return false.

I activate trace information in log4j.xml for category "org.jboss.security.auth.spi" and this is the output .

2006-08-28 23:37:04,015 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added ldap-pdil, org.jboss.security.plugins.SecurityDomainContext@bc448b to map
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@30675222
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=Cataloguer_1,ou=people,dc=mycompany,dc=com, roleAttributeID=initials, matchOnUserDN=false, principalDNSuffix=,ou=people,dc=soloreti,dc=net, allowEmptyPasswords=false, java.naming.provider.url=ldap://localhost:389/, roleAttributeIsDN=false, java.naming.security.authentication=simple, java.naming.security.credentials=***}
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@1ff83
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=Manager,dc=mycompany,dc=com2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'Cataloguer_1' authenticated, loginOk=true
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true


My application define 4 private area, each of them are associated to a role; in my LDAP role information is the attribute "initials" of the user.

I configure an application policy under login-config.xml

<application-policy name="ldap-pdil">

<!--<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">-->
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=Manager,dc=mycompany,dc=com/module-option>
<module-option name="java.naming.security.credentials">secret</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">initials</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>

</application-policy>


and i referenced it in my login module

<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldap-pdil</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/errors/loginFailedError.jsp</form-error-page>
</form-login-config>
</login-config>


I think that i don't configure correctly these module option "matchOnUserDN", "roleAttributeID", "roleAttributeIsDN" : I try different value but the result is the same!

Some one can help me?

Why the user successfully login, but no role information are available?