0 Replies Latest reply on Oct 25, 2014 11:46 AM by ed_mann

    LDAP multiple OU authentication

    ed_mann
    ed_mann Oct 25, 2014 11:46 AM

      I am trying to authenticate users that are in two different OUs' What i have is something like the following.

       

      CN=mann\, ed,OU=IL,OU=Users,OU=User Accounts,DC=example,DC=org

      CN=user\, chris,OU=FL,OU=Users,OU=User Accounts,DC=example,DC=org

       

      I can find the user account, however when the authentication happens what is being passed is

      CN=mann\, ed,OU=Users,OU=User Accounts,DC=example,DC=org

       

      I am using Picketlink 2.7.0.CR1 and configuring LDAP using IdentityConfigurationBuilder Code is below.

       

      IdentityConfigurationBuilder builder = new IdentityConfigurationBuilder();

       

              builder.named("default").stores().ldap().supportAllFeatures()

                      .baseDN(ldapConfig.getBaseDn()).activeDirectory(true)

                      .bindDN(ldapConfig.getBindDn())

                      .bindCredential(ldapConfig.getBindPassword())

                      .url(ldapConfig.getUrl()).mapping(Agent.class)

                      .baseDN(ldapConfig.getAgentDnSuffix())

                      .objectClasses("user")

                      .attribute("loginName", CN, true)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)

                      .mapping(User.class)

                      .baseDN(ldapConfig.getUserDnSuffix())

                      .parentMapping(CN, ldapConfig.getUserDnSuffix())

                      .objectClasses("user")

                      .attribute("loginName", "samAccountName", false)

                      .attribute("firstName", CN, true)

                      .attribute("lastName", SN).attribute("email", EMAIL)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)

                      .mapping(Group.class)

                      .baseDN(ldapConfig.getGroupDnSuffix())

                      .objectClasses("group")

                      .attribute("name", CN, true)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)

                  .mapping(Grant.class)

                      .forMapping(Role.class)

                      .attribute("assignee", "member")

                  .mapping(GroupMembership.class)

                      .forMapping(Group.class)

                      .attribute("member", "member");

       

      I noticed in class LDAPPlainTextPasswordCredentialHandler.java line 55

      String bindingDN = ldapIdentityStore.getBindingDN(account, true);

      it's not using the account at all to get the correct path to help authenticate the users with. It's getting the baseDN, as i was thinking that would be used as a base to start the search, it now looks like it uses that to build the DN to authenticate the user.

      Is there a way i can authenticate both OU's?

       

      Thanks for any help.

       

      On another note i have patched the system to fix [PLINK-555] LDAPIdentityStore.getBindingDN returns incorrect value if there are commas in the bindingAttribute - JBoss I… My changes cover both authenticating users and also matching groups. All unit tests pass with my changes and i didn't need to alter the tests in any way. I plan on committing my code to my fork of picketlink on github and posting patch set to the ticket.