This content has been marked as final.
Show 1 reply
-
1. Re: Access roles(memberOf attribute) from Active Directory?
sam777 Jul 28, 2011 11:50 PM (in response to sam777)
Just to answer my own question so it may help others. The user used to login doesn't need to have admin right. Just a user account for the sole purpose of connecting to AD.
The trick of doing authorization is to retrieve a list of roles granted to user like:
adStore.getGrantedRoles( username );
where adStore is a custom class that extends LdapIdentityStore.
Assuming the location or distinguished name of the group that holds all secruity roles is: "OU=Security,OU=MyOrg Groups,DC=org,DC=nz" (one can find out this value using a tool 'ADSI Edit' in windows xp/2003)
Then to list all security roles, the custom class needs to set the following properties like:
`setRoleContextDN("OU=Security,OU=MyOrg Groups,DC=org,DC=nz");
setRoleObjectClass( new String[]{ "group" } ); // this is always group
setRoleNameAttribute( "name" ); // this is always name`
The in your authenticator class Authenticator.java, all roles can be listed like:
List<String> roles = adStore.listRoles();
Note the roles returned by adStore.getGrantedRoles has to be a subset of
adStore.listRoles()
That's all. Good luck.
Regards
Sam