5 Replies Latest reply on Sep 20, 2005 8:21 PM by anguyen

HELP: Need help configuring ldap login module from java code

mickknutson Sep 19, 2005 12:37 PM

I have the following java code that queries our ldap scheme and then gets the proper roles back:

...

I need to figure out how to put this into a login module to get the same roles into my Principal please.
I am using 4.0.3RC2
So I can use org.jboss.security.auth.spi.LdapLoginModule, or org.jboss.security.auth.spi.LdapExtLoginModule I think.

I am under a serious time crunch as this was suppose to be complete last week.
You assistance is greatly appreciated....

1. Re: HELP: Need help configuring ldap login module from java

mickknutson Sep 19, 2005 12:41 PM (in response to mickknutson)

Forgot the java code...

package org.jboss.test;

import java.util.*;

import com.dhl.dss.ldap.*;
import com.dhl.dss.ldap.utilities.LDAPAttributeAccess;

import javax.naming.NamingException;

public class RoleLookup {
 private static final String LDAP_URL = "ldap://[ip address]:389";
 private static final String LDAP_BIND_DN =
 "uid=fastforward,cn=Applications,o=blackhawk";
 private static final String LDAP_BIND_PWD = "[password]";

 public RoleLookup () {
 }

 public static void main (String[] args) throws NamingException {
 String uid = "user02";
 RoleLookup rl = new RoleLookup();
 System.out.println("Looking up roles for UID " + uid);
 String[] roles = rl.getRoles(uid);
 for (int i = 0; i != roles.length; i++) {
 System.out.println("Role " + (i + 1) + ": " + roles);
 }
 }

 public String[] getRoles (String uid) throws NamingException {
 if (uid == null || uid.length() == 0) {
 throw new NamingException("No User ID to lookup");
 }

 // connect to LDAP
 DHLLDAPConnection conn = new DHLLDAPConnection();
 conn.connect(LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PWD);

 // find the DN
 Hashtable res = conn.search("o=blackhawk", "uid=" + uid);
 if (res == null) {
 throw new NamingException("No entry with UID " + uid + " is found");
 }
 LDAPAttributeAccess lEntry = new LDAPAttributeAccess(res);
 String DN = lEntry.getAttributeValue("$dn");

 // find role(s) this DN belongs to:
 String[] attrs = {
 "nsrole"};
 Hashtable hRoles = conn.search(DN, "(objectclass=*)", attrs);
 if (hRoles == null) {
 throw new NamingException("No roles found for DN " + DN);
 }

 // iterate through results
 lEntry = new LDAPAttributeAccess(hRoles);
 return lEntry.getAttributeValues("nsRole");

 }
 }

2. Re: HELP: Need help configuring ldap login module from java

mickknutson Sep 19, 2005 8:15 PM (in response to mickknutson)

Can I turn this java class into my own LdapAuthenticationModule? If so, how please?

I really, really, really need to solve this tonight. Please, please help someone....
Actions

3. Re: HELP: Need help configuring ldap login module from java

anguyen Sep 19, 2005 9:11 PM (in response to mickknutson)

Have you looked at http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#d0e18741.

From my understanding of your code, the login module config should look something like:

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://[ip address]:389</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="java.naming.security.principal">uid=fastforward,cn=Applications,o=blackhawk</module-option>
 <module-option name="java.naming.security.credentials">[password]</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,o=blackhawk</module-option>
 <module-option name="rolesCtxDN">??? ???</module-option>
 <module-option name="roleAttributeId">??? ???</module-option>
 <module-option name="roleAttributeIsDN">??? ???</module-option>
 <module-option name="roleNameAttributeID">??? ???</module-option>
</login-module>

I'm not able to infer from you code example those last four values. They are specific to your LDAP schema.

4. Re: HELP: Need help configuring ldap login module from java

mickknutson Sep 20, 2005 2:10 PM (in response to mickknutson)
I did.
The issue is that whan I get back a user, I then have to make a query to get the dynamic name of the attributes verse static names.

Thus I have to:
Hashtable hRoles = conn.search(DN, "(objectclass=*)", attrs);

Then:
lEntry = new LDAPAttributeAccess(hRoles); return lEntry.getAttributeValues("nsRole");

So I am parsing out the roles now with a custom module, but I have the next and last issue I could really use some help with please..:

I have assigned a user to the following roles in my login module:
Assign user to role cn=ffv1::01find customer::find customer,o=blackhawk
Assign user to role cn=ffv1::08reports::reports,o=blackhawk
Assign user to role cn=ffv1::20password reset::password reset delegation,o=blackhawk

But, Struts wants to see:
role01
role08
role20

respectively.

So I am trying to map/alias:
cn=ffv1::01find customer::find customer,o=blackhawk
to
role01

I tried to add an entry into my jboss-web.xml like:
<security-role>
<principal-name>cn=FFv1::01Find Customer::Find Customer</principal-name>
<role-name>role01</role-name>
</security-role>

but that does not seem to work when I check in my jsp:
<%= (request.isUserInRole("role01") ? " YES ": " -no- ") %>

"anguyen" wrote:
Have you looked at http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#d0e18741.

From my understanding of your code, the login module config should look something like:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://[ip address]:389</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.security.principal">uid=fastforward,cn=Applications,o=blackhawk</module-option> <module-option name="java.naming.security.credentials">[password]</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,o=blackhawk</module-option> <module-option name="rolesCtxDN">??? ???</module-option> <module-option name="roleAttributeId">??? ???</module-option> <module-option name="roleAttributeIsDN">??? ???</module-option> <module-option name="roleNameAttributeID">??? ???</module-option> </login-module>

I'm not able to infer from you code example those last four values. They are specific to your LDAP schema.
Actions
5. Re: HELP: Need help configuring ldap login module from java

anguyen Sep 20, 2005 8:21 PM (in response to mickknutson)
I think the LDAP login module will do that mapping for you.

I just want to make sure I understand your case. You have role with DN "cn=ffv1::01find customer::find customer,o=blackhawk". A lookup of this role should return an attribute "nsRole" that has the value "role01". If this is the case, I think this configuration should work:
<module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">nsRole</module-option>
Actions

Go to original post