4 Replies Latest reply on Oct 1, 2007 3:50 PM by saigon_man

Can not get user role from LDAP server

saigon_man Sep 30, 2007 12:06 AM

Hello,
Following up my previous post about an LDAP connection error
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119428
I found the way to make it work. It turned out that Jboss portal somehow doesn't work well with ApacheDS (well, at least it doesn't work for me) so, I switch to OpenDS which worked pretty well for me. But there is a problem with jboss portal of pulling user info from LDAP such as role. Here is my configuration

In my login-config.xml (This is the only place that I made changes to connect to the LDAP server)

<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="defaultRole">User</module-option>
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">member</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 </login-module>

I also created the "Authenticated" role and associated this role with all user names in the LDAP server. I was able to log in using username/passwork: jduke1/theduke (I was using the portal-sample-local.ldif from jboss)
But when I tried to get the role for this user, I got some errors. Here are the codes that i used to get user role

public String getUserRole(String username){
 String userrole = "";
 try{
 RoleModule module = (RoleModule)new InitialContext().lookup("java:portal/RoleModule");
 Role role = module.findRoleByName(username);
 userrole = role.getDisplayName();
 if(role != null){
 System.out.println("&**&*& Role is: " + userrole);
 }else{
 System.out.println("&*&*& Role is null");
 }
 }catch(Exception e){
 System.out.println("&*&*&* InitialContext error");
 }
 return userrole;
 }

When those codes are executed, I got these errors:

17:29:58,109 ERROR [HibernateRoleModuleImpl] Cannot find role by name jduke1
org.hibernate.HibernateException: Unable to locate current JTA transaction
at org.hibernate.context.JTASessionContext.currentSession(JTASessionCont
ext.java:61)
at org.hibernate.impl.SessionFactoryImpl.getCurrentSession(SessionFactor
yImpl.java:544)
at org.jboss.portal.identity.db.HibernateRoleModuleImpl.getCurrentSessio
n(HibernateRoleModuleImpl.java:386)
at org.jboss.portal.identity.db.HibernateRoleModuleImpl.findRoleByName(H
ibernateRoleModuleImpl.java:101)
at com.lmco.eagan.e2els.jboss.portlet.test.Users.getUserRole(Unknown Sou
rce)
at com.lmco.eagan.e2els.jboss.portlet.jsp.HelloWorldJSPPortlet.doView(Un
known Source)
at javax.portlet.GenericPortlet.doDispatch(GenericPortlet.java:133)
at javax.portlet.GenericPortlet.render(GenericPortlet.java:306)
at org.jboss.portal.portlet.impl.jsr168.PortletContainerImpl.invokeRende
r(PortletContainerImpl.java:483)
at org.jboss.portal.portlet.impl.jsr168.PortletContainerImpl.dispatch(Po
rtletContainerImpl.java:405)
at org.jboss.portal.portlet.container.PortletContainerInvoker$1.invoke(P
ortletContainerInvoker.java:86)
at org.jboss.portal.common.invocation.Invocation.invokeNext(Invocation.j
ava:131)
at org.jboss.portal.core.aspects.portlet.TransactionInterceptor.org$jbos
s$portal$core$aspects$portlet$TransactionInterceptor$invokeNotSupported$aop(Tran
sactionInterceptor.java:86)
at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
rted_N4547270787964792031.java)
at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
at org.jboss.aspects.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.
java:112)
at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
rted_N4547270787964792031.java)
at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
at org.jboss.aspects.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.
java:102)
at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
rted_N4547270787964792031.java)
.....

My question is: is there a way to get the user role from LDAP? Am I missing something in the codes above or is there anything else I should do?

Your help is greatly appreciated

Thanks,

SGM

1. Re: Can not get user role from LDAP server

bdaw Sep 30, 2007 4:35 PM (in response to saigon_man)

Im really suprised that "org.jboss.security.auth.spi.LdapExtLoginModule" has something to do with options like "userModuleJNDIName" or "additionalRole". What is in your identity-config.xml? Did you read "LDAP" chapter in portal ReferenceGuide or tried to follow LDAP tutorial from blog?
Actions
2. Re: Can not get user role from LDAP server

saigon_man Sep 30, 2007 11:56 PM (in response to saigon_man)
Hi,
I changed the code in the login-config.xml a little bit to match the instruction in the wiki

http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication

I did not modify the identity-config.xml. The login-config.xml is the only place that I made changes to

<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="password-stacking">useFirstPass</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=example,dc=com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">member</module-option> <module-option name="roleRecursion">-1</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="searchTimeLimit">5000</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> </login-module>

but I still get the same error when trying to get the user role with the same codes as posted above. This time when I enter username/password and hit enter key, there are some errors at first

21:55:30,343 ERROR [STDERR] java.lang.NullPointerException
21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.getURLScheme(Init
ialContext.java:269)
21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.getURLOrDefaultIn
itCtx(InitialContext.java:318)
21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.lookup(InitialCon
text.java:392)
21:55:30,343 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginM
odule.getUserProfileModule(IdentityLoginModule.java:127)
21:55:30,343 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginM
odule$1.run(IdentityLoginModule.java:220)
21:55:30,343 ERROR [STDERR] at org.jboss.portal.common.transaction.Transacti
ons.apply(Transactions.java:219)
21:55:30,343 ERROR [STDERR] at org.jboss.portal.common.transaction.Transacti
ons.required(Transactions.java:289)
.....

I am really confused about the instruction in the reference guide as I went through those few times but haven't gained any success of connecting to LDAP server (in my case, OpenDS).
I picked the solution in the wiki because it worked for me but now, I am stuck in getting user role straight out from the LDAP. Is there a way to get those roles?

Thanks,

SGM
Actions
3. Re: Can not get user role from LDAP server

bdaw Oct 1, 2007 3:58 AM (in response to saigon_man)

Try the tutorial then:

http://jbossportal.blogspot.com/2007/06/ldap-support-tutorial-for-jboss-portal.html
http://jbossportal.blogspot.com/2007/07/ldap-support-tutorial-for-jboss-portal.html
Actions

4. Re: Can not get user role from LDAP server

saigon_man Oct 1, 2007 3:50 PM (in response to saigon_man)

Thanks a million for the tutorials. It worked perfectly. I am now able to connect to LDAP server and retrieve the user role. Here is that I've done in case of other people would like to know how to do it
1. Follow the instructions in those tutorials above for LDAP connection
2. To retrieve user roles,
2.1 add these codes into ldap_identity-config.xml

<option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=People,o=test,dc=portal,dc=example,dc=com</value>
 </option>
 <option>
 <name>roleCtxDN</name>
 <value>ou=Roles,o=test,dc=portal,dc=example,dc=com</value>
 </option>
 <option>
 <name>userSearchFilter</name>
 <value><![CDATA[(uid={0})]]></value>
 </option>
 <option>
 <name>roleSearchFilter</name>
 <value><![CDATA[(cn={0})]]></value>
 </option>
 <option>
 <name>membershipAttributeID</name>
 <value>member</value>
 </option>

 </option-group>

<module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
 <config/>
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
 <config/>
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <class>org.jboss.portal.identity.ldap.LDAPStaticGroupMembershipModuleImpl</class>
 <config/>
 </module>

2.2 Here are some codes that retrieve all roles associates with a specific username

try{
 MembershipModule membershipmodule = (MembershipModule)new InitialContext().lookup("java:/portal/MembershipModule");
 User user = usermodule.findUserByUserName("Put_your_username_ here");
 Set roles = membershipmodule.getRoles(user);
 Iterator iter = roles.iterator();
 while(iter.hasNext()){
 role = (Role)iter.next();
 System.out.println("Role: " + role.getDisplayName());

 }
}catch(Exception e){
 // Do something here
}

SGM

Go to original post