-
1. Re: LdapIdentityStore
shane.bryzak Nov 4, 2009 7:52 AM (in response to charliebarjel)No, it doesn't support this yet but I think it would be useful. There is a problem doing this though - where in the tree do new users get created? The API only provides a method for creating a user using their username, password, firstname and lastname.
-
2. Re: LdapIdentityStore
charliebarjel Nov 4, 2009 10:59 PM (in response to charliebarjel)Yes, that would be very useful.
The issue I have, is that the LDAP Tree i'm working with has users under different 'offices'- Sites - Offices - Office 1 - Office 2 ... - Office n
How can I use the LdapIdentityStore to authenticate users under each DN-Suffix?
In this case, I would have three:1. ou=Office 1, ou=Offices, ou=Sites 2. ou=Office 2, ou=Offices, ou=Sites 3. ou=Office n, ou=Offices, ou=Sites
Maybe LdapIdentityStore isnt the best option in this case?
Charlie
-
3. Re: LdapIdentityStore
shane.bryzak Nov 5, 2009 12:30 AM (in response to charliebarjel)You would have to extend LdapIdentityStore to achieve this. The problem remains though where new users get created.
-
4. Re: LdapIdentityStore
charliebarjel Nov 5, 2009 1:50 AM (in response to charliebarjel)Well in my case, im using LdapIdentityStore mainly for authentication. And not so much to add/edit/delete users.
Is it still the best option to go with? Or should I go with time simple authenticator?
If I was to extend the LdapIdentityStore...would I only need to override the authenticate method? And perform all my searches for users under all subtrees from there?
Thanks for your help.
Charlie
-
5. Re: LdapIdentityStore
shane.bryzak Nov 5, 2009 2:26 AM (in response to charliebarjel)Since you don't want to actually manage the users it makes it a little easier. The authenticate() method works by simply taking the username and password values that you provide and using them (in conjunction with the userDNPrefix and userDNSuffix properties) to create the InitialLdapContext.
In your case the userDNSuffix won't be sufficient as it contains a specific value... so what you probably need to do is first bind using the bindDN, then search the subtrees for the user, then once you find it re-bind using the correct userDN. You probably don't need to override the authenticate() method at all, I'd say you can get away with simply overriding the getUserDN() method to do what I just described.
-
6. Re: LdapIdentityStore
charliebarjel Nov 5, 2009 2:33 AM (in response to charliebarjel)Thanks for your help Shane.
I will give it a try.
-
7. Re: LdapIdentityStore
charliebarjel Nov 5, 2009 3:38 AM (in response to charliebarjel)Sorry Shane. Just another question for clarification.
Does the userDN string that is retured by getUserDN(), get passed to the authenticate() method?
Or do I need to do a re-bind within the getUserDN() method first? And then return the userDN if all is ok?
If so, does the IdentityManager have a bind method that can be used?
-
8. Re: LdapIdentityStore
shane.bryzak Nov 5, 2009 4:02 AM (in response to charliebarjel)The authenticate() method calls getUserDN() to get the principal with which to bind with. You'll need to override this method to bind with the default bindDN, search the subtrees for the actual user entry and then return that value which will then be used to authenticate. Here's some pseudo-code:
@Override protected String getUserDN(String username) { InitialLdapContext ctx = null; try { initialiseContext(getBindDN(), getBindCredentials()); // iterate through subtrees here until the user entry for 'username' is found String userDNSuffix = userDNThatWasFound; return String.format("%s%s%s", getUserDNPrefix(), username, userDNSuffix); } catch (NamingException ex) { throw new IdentityManagementException("Authentication error", ex); } finally { if (ctx != null) { try { ctx.close(); } catch (NamingException ex) {} } } }
-
9. Re: LdapIdentityStore
charliebarjel Nov 9, 2009 2:24 AM (in response to charliebarjel)Hi,
I have setup the ldap-identity-store in my components.xml, but I seem to be getting an exception, and I cant find the actual cause:
12:19:38,410 WARN [SeamLoginModule] Error invoking login method
It does not print out any other exception or details...is there anyway to see the full exception so I know where the error is actually coming from?
Here is my components.xml
<?xml version="1.0" encoding="UTF-8"?> <components xmlns="http://jboss.com/products/seam/components" xmlns:core="http://jboss.com/products/seam/core" xmlns:persistence="http://jboss.com/products/seam/persistence" xmlns:drools="http://jboss.com/products/seam/drools" xmlns:bpm="http://jboss.com/products/seam/bpm" xmlns:security="http://jboss.com/products/seam/security" xmlns:mail="http://jboss.com/products/seam/mail" xmlns:web="http://jboss.com/products/seam/web" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://jboss.com/products/seam/core http://jboss.com/products/seam/core-2.2.xsd http://jboss.com/products/seam/persistence http://jboss.com/products/seam/persistence-2.2.xsd http://jboss.com/products/seam/drools http://jboss.com/products/seam/drools-2.2.xsd http://jboss.com/products/seam/bpm http://jboss.com/products/seam/bpm-2.2.xsd http://jboss.com/products/seam/security http://jboss.com/products/seam/security-2.2.xsd http://jboss.com/products/seam/mail http://jboss.com/products/seam/mail-2.2.xsd http://jboss.com/products/seam/web http://jboss.com/products/seam/web-2.2.xsd http://jboss.com/products/seam/components http://jboss.com/products/seam/components-2.2.xsd"> <core:init debug="@debug@" jndi-pattern="@jndiPattern@"/> <core:manager concurrent-request-timeout="500" conversation-timeout="120000" conversation-id-parameter="cid" parent-conversation-id-parameter="pid"/> <!-- Make sure this URL pattern is the same as that used by the Faces Servlet --> <web:hot-deploy-filter url-pattern="*.seam"/> <!-- If you are still using JBoss 4, uncomment this to have you PU started --> <!-- <persistence:entity-manager-factory name="entityManagerFactory" persistence-unit-name="koncentrator" installed="@seamBootstrapsPu@"/>--> <persistence:managed-persistence-context name="entityManager" auto-create="true" entity-manager-factory="@seamEmfRef@" persistence-unit-jndi-name="@puJndiName@"/> <drools:rule-base name="securityRules"> <drools:rule-files><value>/security.drl</value></drools:rule-files> </drools:rule-base> <security:rule-based-permission-resolver security-rules="#{securityRules}"/> <security:identity remember-me="true"/> <security:ldap-identity-store name="ldapIdentityStore" server-address="ldap://ac3adc01" server-port="389" bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local" bind-credentials="LDAP09SW!" user-DN-prefix="sAMAccountName=" user-DN-suffix=",ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local" role-DN-prefix="cn=" role-DN-suffix=",ou=Groups,ou=Sites,dc=StateWater,dc=local" user-context-DN="ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local" role-context-DN="ou=Groups,ou=Sites,dc=StateWater,dc=local" user-role-attribute="memberOf" role-name-attribute="name" user-object-classes="person,user" role-object-classes="group" enabled-attribute="enabled" /> <security:identity-manager identity-store="#{ldapIdentityStore}"/> <event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> </event> <mail:mail-session host="localhost" port="25"/> <!-- For use with jBPM pageflow or process management --> <!-- <bpm:jbpm> <bpm:process-definitions></bpm:process-definitions> <bpm:pageflow-definitions></bpm:pageflow-definitions> </bpm:jbpm> --> </components>
Any suggestions would be appreciated.
-
10. Re: LdapIdentityStore
charliebarjel Nov 11, 2009 12:47 AM (in response to charliebarjel)Does anyone have any advice on this issue?
Its not printing the exception stack trace or cause, so im not sure what the problem is at all.Are these, the only three components I need for setting up ldap-identity-store?
<security:identity remember-me="true"/> <security:ldap-identity-store name="ldapIdentityStore" server-address="ac3adc01.StateWater.local" server-port="389" bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local" bind-credentials="LDAP09SW!" user-DN-prefix="sAMAccountName=" user-DN-suffix=",ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local" role-DN-prefix="cn=" role-DN-suffix=",ou=Groups,ou=Sites,dc=StateWater,dc=local" user-context-DN="ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local" role-context-DN="ou=Groups,ou=Sites,dc=StateWater,dc=local" user-role-attribute="memberOf" role-name-attribute="name" user-object-classes="person,user" role-object-classes="group" enabled-attribute="enabled" /> <security:identity-manager identity-store="#{ldapIdentityStore}"/>