hi,

i configured an application policy and i want to allow only users from group

cn=portalrrhh,ou=Groups,dc=example.com,dc=global

this is the test i did with jmx-console:

<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://example.com:389</module-option>
<module-option name="baseCtxDN">ou=Users,dc=example.com,dc=global</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">cn=portalrrhh,ou=Groups,dc=example.com,dc=global</module-option>
<module-option name="roleFilter">(memberUid={0})</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>

i can login with any valid ldap user, not just that ones belonging to group portalrrhh, so seems to ignore the scope.

anyone have a working example?

i dont mind if it is with org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule