JAAS/LDAP Roles configuration pulls superset instead of filt
sarahm Oct 11, 2006 1:24 PMI am having a strange error with what should be a simple configuration. I am able to authenticate off LDAP, but the role list received is not the one I expect.
I have the following config (with my actual domain, etc):
login-config.xml
<application-policy name="testLDAP"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://ldap.mydomain.com/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix"> ,ou=People,dc=mydomain,dc=com </module-option> <module-option name="rolesCtxDN"> ou=Groups,dc=mydomain,dc=com </module-option> <module-option name="uidAttributeID">memberUid</module-option> <module-option name="matchOnUserDN">false</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module> </authentication> </application-policy>
Example LDAP User:
dn: uid=sarahm,ou=People,dc=mydomain,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount uid: sarahm uidNumber: 1040 gidNumber: 6000
Example LDAP Group:
dn: cn=it,ou=Groups,dc=mydomain,dc=com cn: it displayName: it sambaGroupType: 2 objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 6008 memberUid: sarahm memberUid: user1 memberUid: user2
With this configuration, I expect only the groups for the current user to be used as roles. However, in both JSP (request.isUserInGroup) and the auth-constraint roles in web.xml all of my checks for roles will resolve to true if I have a corresponding group, even if the user is not in the group. For instance, request.isUserInGroup("accounting") is true for any user as the accounting group exists in LDAP.
It seems for some reason roles are not being filtered properly by user.
Any suggestions would be appreciated.