2 Replies Latest reply on Jul 12, 2009 12:57 PM by napa

Problems with ldapIdentityStore and complex Acitve Directory

napa Jun 24, 2009 12:25 PM

Hello together!

I am new with the Seam Framework. In my application I want to authenticate the User to AD. The Content of my component.xml:

<security:ldap-identity-store
         server-address="server.company.com"

         role-DN-prefix="cn=SVN-Haithabu"
         bind-credentials="secret"             
         bind-DN="cn=Manager,ou=maintenance,ou=Users,ou=Business,dc=company,dc=com"          

       role-DN-suffix=",ou=Security Groups,ou=Business,dc=company,dc=com"
       role-context-DN="ou=Security Groups,ou=MyBusiness,dc=company,dc=com"
       
       user-DN-prefix="cn="
       user-DN-suffix=",ou=Users,ou=Business,dc=company,dc=com"
       user-context-DN="ou=Users,ou=Business,dc=company,dc=com"
       user-name-attribute="sAMAccountName"
       user-object-classes="top,person,organizationalPerson,user" 
       user-role-attribute="member"

         search-scope="SUBTREE_SCOPE" 
/>

The Structure of the Active Directory:


- World
  - com
    - company
      - Business
        - Security Groups
          - intern
          - extern
          - admin
          - distribution
          - administration

        - Users
          - intern
          - maintenance
          - company
            - city1
            - city2
              - IT
              - Accounting
              - Teamleader
                - Guybrush Threepwood
                - LeChuck
                - Herman Toothrot

Last but not least the main parts of the login.xhtml:

 <div class="dialog">
                <h:panelGrid columns="2" rowClasses="prop" columnClasses="name,value">
                    <h:outputLabel for="username">Username</h:outputLabel>
                    <h:inputText id="username"
                              value="#{credentials.username}"/>
                    <h:outputLabel for="password">Password</h:outputLabel>
                    <h:inputSecret id="password"
                                value="#{credentials.password}"/>                    
                </h:panelGrid>
            </div>           
        </rich:panel>
        <div class="actionButtons">
            <h:commandButton value="Login" action="#{identity.login}"/>
        </div>

Now the problem! In my opinion the process of authentification do not check subtrees. If I configure the role-DN-suffix like that I am able to login.

user-DN-suffix=",ou=Teamleader,ou=city2,ou=company,ou=Users,ou=Business,dc=company,dc=com"

But then a further problem ist that I can't use the rols. I think this is the same problem with the subtrees.
The configuration with

 search-scope= SUBTREE_SCOPE

doesn't pay anything.

Has anyone of you an easy idea or solution?

Thank you all in advance.

1. Re: Problems with ldapIdentityStore and complex Acitve Directory

bthelen.bruce.brucethelen.com Jul 8, 2009 11:58 PM (in response to napa)

Did you come up with a solution for this? I'm in the exact same boat right now.
Actions
2. Re: Problems with ldapIdentityStore and complex Acitve Directory

napa Jul 12, 2009 12:57 PM (in response to napa)

Bruce Thelen wrote on Jul 08, 2009 23:58:

Hi Bruce!

I didn't found a solution with the component.xml file. But I have found a more flexible solution. I wrote a very simple class for authentification which uses the interfaces and classes of Seam.
An further advantage is that you can use more than one Active-Directory.

It would be nice to solve the problem with the component.xml file, but to be more flexible for future challenges the do-it-yourself coding in my opinion will be a better strategy.

I will post it tomorrow! Thank you for your interest. It is good to know that I am not the only one in this situation.
Actions

Go to original post