LDAP Authentication & Authorization to eDirectory
arnieaustin May 22, 2007 2:12 PMI am working with the jboss-portal-2.6-CR2 bundle. After getting it configured for MySQL and logging in as 'admin', I reconfigured it for LDAP using the LDAPExtUser/RoleModuleImpl classes. We are using Novell eDirectory setup in an Identity Vault configuration (nearly flat directory with different ou's for users and groups). Anyway, so far so good. I can log in. Well, actually Admin can login. I cannot. Keep getting "Your account is disabled." message on the login screen. Which is WRONG since my account is neither disabled nor locked in LDAP. My guess is this misleading message has something to do with Authorization.
Our LDAP structure:
o=idv ou=groups,o=idv ou=apps,ou=groups,o=idv ou=jbossportal,ou=apps,ou=groups,o=idv cn=Administrators,ou=jbossportal,ou=apps,ou=groups,o=idv cn=Users,ou=jbossportal,ou=apps,ou=groups,o=idv ou=people,o=idv ou=apps,ou=people,o=idv cn=admin,ou=apps,ou=people,o=idv ou=employees,ou=people,o=idv ou=al,ou=employees,ou=people,o=idv cn=acm3,ou=al,ou=employees,ou=people,o=idv
Note that the admin I am using to authenticate is in a different container in the tree. My account (acm3) is where most employees would be.
The two groups mentioned have various users in them. In the Administrators case, Admin and ACM3 are both members. Yet when Admin logs in, the "Admin" link doesn't appear in the portal window. And ACM3 cannot log in at all.
What could I be missing here? There were no messages on the console log or in server.log that something was wrong.
I've included the ldap_identity-config.xml below:
<identity-configuration> <datasources> <datasource> <name>LDAP</name> <config> <option> <name>host</name> <value>idv1-lab.oag.state.tx.us</value> </option> <option> <name>port</name> <value>389</value> </option> <option> <name>adminDN</name> <value>cn=portalsystem,ou=apps,ou=people,o=idv</value> </option> <option> <name>adminPassword</name> <value>password</value> </option> <!--<option> <name>protocol</name> <value>ssl</value> </option>--> </config> </datasource> </datasources> <modules> <module> <!--type used to correctly map in IdentityContext registry--> <type>User</type> <implementation>LDAP</implementation> <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class> <config/> </module> <module> <type>Role</type> <implementation>LDAP</implementation> <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class> <config/> </module> <module> <type>Membership</type> <implementation>LDAP</implementation> <config/> </module> <module> <type>UserProfile</type> <implementation>DELEGATING</implementation> <config> <option> <name>ldapModuleJNDIName</name> <value>java:/portal/LDAPUserProfileModule</value> </option> </config> </module> <module> <type>DBDelegateUserProfile</type> <implementation>DB</implementation> <config> <option> <name>randomSynchronizePassword</name> <value>true</value> </option> </config> </module> <module> <type>LDAPDelegateUserProfile</type> <implementation>LDAP</implementation> <config/> </module> </modules> <options> <option-group> <group-name>common</group-name> <option> <name>userCtxDN</name> <value>ou=PEOPLE,o=IDV</value> </option> <option> <name>roleCtxDN</name> <value>ou=GROUPS,o=IDV</value> </option> <option> <name>userSearchFilter</name> <value>(cn={0})</value> </option> <option> <name>roleSearchFilter</name> <value>(cn={0})</value> </option> <option> <name>uidAttributeID</name> <value>cn</value> </option> <option> <name>passwordAttributeID</name> <value>password</value> </option> <option> <name>membershipAttributeId</name> <value>member</value> </option> <option> <name>membershipAttributeIsDN</name> <value>true</value> </option> </option-group> <option-group> <group-name>userCreateAttibutes</group-name> <option> <name>objectClass</name> <!--This objectclasses should work with Red Hat Directory--> <value>top</value> <value>person</value> <value>inetOrgPerson</value> </option> <!--Schema requires those to have initial value--> <option> <name>cn</name> <value>none</value> </option> <option> <name>sn</name> <value>none</value> </option> </option-group> <option-group> <group-name>roleCreateAttibutes</group-name> <!--Schema requires those to have initial value--> <option> <name>cn</name> <value>none</value> </option> <!--Some directory servers require this attribute to be valid DN--> <!--For safety reasons point to the admin user here--> <option> <name>member</name> <value>cn=portalsytem,ou=apps,ou=people,o=idv</value> </option> </option-group> </options> </identity-configuration>