Problems with ldapIdentityStore and complex Acitve Directory
napa Jun 24, 2009 12:25 PMHello together!
I am new with the Seam Framework. In my application I want to authenticate the User to AD. The Content of my component.xml:
<security:ldap-identity-store server-address="server.company.com" role-DN-prefix="cn=SVN-Haithabu" bind-credentials="secret" bind-DN="cn=Manager,ou=maintenance,ou=Users,ou=Business,dc=company,dc=com" role-DN-suffix=",ou=Security Groups,ou=Business,dc=company,dc=com" role-context-DN="ou=Security Groups,ou=MyBusiness,dc=company,dc=com" user-DN-prefix="cn=" user-DN-suffix=",ou=Users,ou=Business,dc=company,dc=com" user-context-DN="ou=Users,ou=Business,dc=company,dc=com" user-name-attribute="sAMAccountName" user-object-classes="top,person,organizationalPerson,user" user-role-attribute="member" search-scope="SUBTREE_SCOPE" />
The Structure of the Active Directory:
- World - com - company - Business - Security Groups - intern - extern - admin - distribution - administration - Users - intern - maintenance - company - city1 - city2 - IT - Accounting - Teamleader - Guybrush Threepwood - LeChuck - Herman Toothrot
Last but not least the main parts of the login.xhtml:
<div class="dialog"> <h:panelGrid columns="2" rowClasses="prop" columnClasses="name,value"> <h:outputLabel for="username">Username</h:outputLabel> <h:inputText id="username" value="#{credentials.username}"/> <h:outputLabel for="password">Password</h:outputLabel> <h:inputSecret id="password" value="#{credentials.password}"/> </h:panelGrid> </div> </rich:panel> <div class="actionButtons"> <h:commandButton value="Login" action="#{identity.login}"/> </div>
Now the problem! In my opinion the process of authentification do not check subtrees. If I configure the role-DN-suffix like that I am able to login.
user-DN-suffix=",ou=Teamleader,ou=city2,ou=company,ou=Users,ou=Business,dc=company,dc=com"
But then a further problem ist that I can't use the rols. I think this is the same problem with the subtrees.
The configuration with
search-scope= SUBTREE_SCOPE
doesn't pay anything.
Has anyone of you an easy idea or solution?
Thank you all in advance.