-
1. Re: HELP: Need help configuring ldap login module from java
mickknutson Sep 19, 2005 12:41 PM (in response to mickknutson)Forgot the java code...
package org.jboss.test; import java.util.*; import com.dhl.dss.ldap.*; import com.dhl.dss.ldap.utilities.LDAPAttributeAccess; import javax.naming.NamingException; public class RoleLookup { private static final String LDAP_URL = "ldap://[ip address]:389"; private static final String LDAP_BIND_DN = "uid=fastforward,cn=Applications,o=blackhawk"; private static final String LDAP_BIND_PWD = "[password]"; public RoleLookup () { } public static void main (String[] args) throws NamingException { String uid = "user02"; RoleLookup rl = new RoleLookup(); System.out.println("Looking up roles for UID " + uid); String[] roles = rl.getRoles(uid); for (int i = 0; i != roles.length; i++) { System.out.println("Role " + (i + 1) + ": " + roles); } } public String[] getRoles (String uid) throws NamingException { if (uid == null || uid.length() == 0) { throw new NamingException("No User ID to lookup"); } // connect to LDAP DHLLDAPConnection conn = new DHLLDAPConnection(); conn.connect(LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PWD); // find the DN Hashtable res = conn.search("o=blackhawk", "uid=" + uid); if (res == null) { throw new NamingException("No entry with UID " + uid + " is found"); } LDAPAttributeAccess lEntry = new LDAPAttributeAccess(res); String DN = lEntry.getAttributeValue("$dn"); // find role(s) this DN belongs to: String[] attrs = { "nsrole"}; Hashtable hRoles = conn.search(DN, "(objectclass=*)", attrs); if (hRoles == null) { throw new NamingException("No roles found for DN " + DN); } // iterate through results lEntry = new LDAPAttributeAccess(hRoles); return lEntry.getAttributeValues("nsRole"); } }
-
2. Re: HELP: Need help configuring ldap login module from java
mickknutson Sep 19, 2005 8:15 PM (in response to mickknutson)Can I turn this java class into my own LdapAuthenticationModule? If so, how please?
I really, really, really need to solve this tonight. Please, please help someone.... -
3. Re: HELP: Need help configuring ldap login module from java
anguyen Sep 19, 2005 9:11 PM (in response to mickknutson)Have you looked at http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#d0e18741.
From my understanding of your code, the login module config should look something like:<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://[ip address]:389</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.security.principal">uid=fastforward,cn=Applications,o=blackhawk</module-option> <module-option name="java.naming.security.credentials">[password]</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,o=blackhawk</module-option> <module-option name="rolesCtxDN">??? ???</module-option> <module-option name="roleAttributeId">??? ???</module-option> <module-option name="roleAttributeIsDN">??? ???</module-option> <module-option name="roleNameAttributeID">??? ???</module-option> </login-module>
I'm not able to infer from you code example those last four values. They are specific to your LDAP schema. -
4. Re: HELP: Need help configuring ldap login module from java
mickknutson Sep 20, 2005 2:10 PM (in response to mickknutson)I did.
The issue is that whan I get back a user, I then have to make a query to get the dynamic name of the attributes verse static names.
Thus I have to:Hashtable hRoles = conn.search(DN, "(objectclass=*)", attrs);
Then:lEntry = new LDAPAttributeAccess(hRoles); return lEntry.getAttributeValues("nsRole");
So I am parsing out the roles now with a custom module, but I have the next and last issue I could really use some help with please..:
I have assigned a user to the following roles in my login module:
Assign user to role cn=ffv1::01find customer::find customer,o=blackhawk
Assign user to role cn=ffv1::08reports::reports,o=blackhawk
Assign user to role cn=ffv1::20password reset::password reset delegation,o=blackhawk
But, Struts wants to see:
role01
role08
role20
respectively.
So I am trying to map/alias:
cn=ffv1::01find customer::find customer,o=blackhawk
to
role01
I tried to add an entry into my jboss-web.xml like:
<security-role>
<principal-name>cn=FFv1::01Find Customer::Find Customer</principal-name>
<role-name>role01</role-name>
</security-role>
but that does not seem to work when I check in my jsp:
<%= (request.isUserInRole("role01") ? " YES ": " -no- ") %>"anguyen" wrote:
Have you looked at http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#d0e18741.
From my understanding of your code, the login module config should look something like:<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://[ip address]:389</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.security.principal">uid=fastforward,cn=Applications,o=blackhawk</module-option> <module-option name="java.naming.security.credentials">[password]</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,o=blackhawk</module-option> <module-option name="rolesCtxDN">??? ???</module-option> <module-option name="roleAttributeId">??? ???</module-option> <module-option name="roleAttributeIsDN">??? ???</module-option> <module-option name="roleNameAttributeID">??? ???</module-option> </login-module>
I'm not able to infer from you code example those last four values. They are specific to your LDAP schema. -
5. Re: HELP: Need help configuring ldap login module from java
anguyen Sep 20, 2005 8:21 PM (in response to mickknutson)I think the LDAP login module will do that mapping for you.
I just want to make sure I understand your case. You have role with DN "cn=ffv1::01find customer::find customer,o=blackhawk". A lookup of this role should return an attribute "nsRole" that has the value "role01". If this is the case, I think this configuration should work:<module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">nsRole</module-option>