1 Reply Latest reply on Jul 28, 2011 11:50 PM by sam777

    Access roles(memberOf attribute) from Active Directory?

    sam777
    sam777 Jul 25, 2011 9:58 PM

      Hi guys,


      Did anyone succeed in retrieving roles from active directory(AD) using 'memeberOf' attribute?


      If yes, can you shed some light on how this is done?


      BTW, I worked out how to do authentication against AD already with the thread


         http://www.seamframework.org/Community/IdentityManagementActiveDirectory and
          http://www.seamframework.org/Community/LdapIdentityStoreAndActiveDirectory


      It's the authorization I am having problem with.


      My working code that does only authentication is like:




      @Name("customLdapIdentityStore")
@Startup
@AutoCreate
@Scope(ScopeType.APPLICATION)
public class ActiveDirectoryLdapIdentityStore extends LdapIdentityStore {
        
        private static final long serialVersionUID = -1250675501823301128L;

        @PostConstruct
        public void init()      {
    
            setServerAddress("myorg.co.nz"); // 
            setServerPort(389);
            
            setBindDN("CN=MyName,OU=MYORG Users,DC=MYORG,DC=co,DC=nz");
            setBindCredentials( "welcome777" ); // swap in real password
            
            setUserDNPrefix("");
            setUserDNSuffix("myorg.co.nz");
            setUserNameAttribute("sAMAccountName");
            
            setUserContextDN("OU=MOEST Users,DC=moest,DC=govt,DC=nz");
            
            // this is required else authentication exception when listing roles with IdentityStore.listRoles();
            setRoleContextDN("OU=MYORG Users,DC=myorg,DC=co,DC=nz");  

            setUserRoleAttribute( "memberOf" );

        }
        
        @Override
        protected String getUserDN(String username)
        {
                return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix());
        }

}





      Am I right to assume that to be able to retrieve value of memberOf attribute, the user I used to login (i.e. setBindDN(..) above) needs to have admin right in context specified by user-context-dn attribute, whose value is set in setUserContextDN(...)?


      Thanks in advance


      Sam

      • 199 Views
      • Tags:
        • 1. Re: Access roles(memberOf attribute) from Active Directory?
          sam777
          sam777 Jul 28, 2011 11:50 PM (in response to sam777)

          Just to answer my own question so it may help others. The user used to login doesn't need to have admin right. Just a user account for the sole purpose of connecting to AD.

          The trick of doing authorization is to retrieve a list of roles granted to user like:

            adStore.getGrantedRoles( username );

          where adStore is a custom class that extends LdapIdentityStore.


          Assuming the location or distinguished name of the group that holds all secruity roles is: "OU=Security,OU=MyOrg Groups,DC=org,DC=nz" (one can find out this value using a tool 'ADSI Edit' in windows xp/2003)

          Then to list all security roles, the custom class needs to set the following properties like:

           

          `setRoleContextDN("OU=Security,OU=MyOrg Groups,DC=org,DC=nz");
            setRoleObjectClass( new String[]{ "group" }  ); // this is always group
            setRoleNameAttribute( "name" ); // this is always name`



          The in your authenticator class Authenticator.java, all roles can be listed like:

            List<String> roles = adStore.listRoles();

          Note the roles returned by adStore.getGrantedRoles has to be a subset of
          adStore.listRoles()


          That's all. Good luck.


          Regards

          Sam


            • Actions