LDAP Authentication and Database Authorization
dereklee Oct 30, 2012 8:17 AMHi experts ,
As the title says I am trying to authenticate user from LDAP and get the roles from the database.
I am using JBoss 7.1.1 As and picketlink 2.1.5.
My IDP configuration, I have ldap setup like this, (standalone.xml under $jboss_installation/standalone/configuration)
<security-domain name="idp" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://xxx:xxx"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="xxx"/>
<module-option name="bindCredential" value="xxx"/>
<module-option name="baseCtxDN" value="DC=xxx,DC=xxx,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="DC=xxx,DC=xxx,DC=com"/>
<module-option name="roleFilter" value="(member={0})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</authentication>
<audit>
<provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
</security-domain>
My SP, (picketlink.xml under \WEB-INF\)
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
<ServiceURL>${myapp.url::http://localhost:8080/myapp/}</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler">
<Option Key="ROLE_GENERATOR" Value="CustomRoleGenerator"/>
</Handler>
</Handlers>
</PicketLink>
I also have CustomRoleGenerator.java
public class CustomRoleGenerator implements RoleGenerator
{
public List<String> generateRoles(Principal principal)
{
// TODO : Replace code below to call database to get the roles.
// but for now returns the dummy roles.
ArrayList<String> roleList = new ArrayList<String>();
roleList.add("user");
roleList.add("manager");
return roleList;
}
}
The error that I am getting is,
PLFED000092: Null Value: Destination is null, basically the role is null in this case. I traced and this CustomRoleGenerator doesn't get called.
I am questionning myself if CustomRoleGenerator should be packaged at the SP level or IDP level ? Afterall it looks like you can also define custom handlers in IDP.
Any comments or any direction can be very helful
Thanks in advance,
Derek.