LDAP assignment handler
aguizar Mar 14, 2008 5:54 PMDuring a recent consulting gig I developed an LDAP-based assignment handler. It is not meant to fit arbitrary directory arrangements. Instead, it was designed to be a companion to the LDAP login module provided by JBoss AS, although they are configured separately. It will cover simple directory arrangements out of the box, and should be a good starting point for folks facing more complex arrangements.
In the login model, users reside under an organizational unit, say ou=People,dc=jbpm,dc=org. Roles are defined in another organizational unit, e.g. ou=Roles,dc=jbpm,dc=org. In the assignment model, groups take the place of roles. They are defined in their own organizational unit as well, for example ou=Groups,dc=jbpm,dc=org, although they may be the same as roles if that makes sense to the user.
An LdapService was introduced to manage the connection to the directory. The connection is established with properties read from a classpath resource specified by the string entry resource.ldap.properties in jbpm.cfg.xml. Below is a sample properties file. Notice the similarity with the login module configuration options.
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url=ldap\://localhost\:389/ java.naming.security.authentication=simple java.naming.security.principal=uid\=adminUser,ou\=People,dc\=example,dc\=com java.naming.security.credentials=adminUser usersCtxDN=ou\=People,dc\=example,dc\=com userAttributeID=uid passwordAttributeID=userPassword groupsCtxDN=ou\=Groups,dc\=example,dc\=com groupAttributeID=cn memberAttributeID=member matchOnUserDN=true
LdapAssignmentHandler extends ExpressionAssignmentHandler so the usual assignment expressions can be used on top of an LDAP server. Right now only users and groups are supported. Memberships, group types, and group hierarchies were out of the scope of the requirements, tough support for them might be added via search controls and extended attributes.
The source code is available on the CVS branch jpdl_3_2_2_IS. I believe this would make an interesting addition to the product. What do you all think?