4 Replies Latest reply on Oct 1, 2007 3:50 PM by tl le

    Can not get user role from LDAP server

    tl le Newbie

      Hello,
      Following up my previous post about an LDAP connection error
      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119428
      I found the way to make it work. It turned out that Jboss portal somehow doesn't work well with ApacheDS (well, at least it doesn't work for me) so, I switch to OpenDS which worked pretty well for me. But there is a problem with jboss portal of pulling user info from LDAP such as role. Here is my configuration

      In my login-config.xml (This is the only place that I made changes to connect to the LDAP server)

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="defaultRole">User</module-option>
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeID">member</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="searchTimeLimit">5000</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
      


      I also created the "Authenticated" role and associated this role with all user names in the LDAP server. I was able to log in using username/passwork: jduke1/theduke (I was using the portal-sample-local.ldif from jboss)
      But when I tried to get the role for this user, I got some errors. Here are the codes that i used to get user role
      public String getUserRole(String username){
       String userrole = "";
       try{
       RoleModule module = (RoleModule)new InitialContext().lookup("java:portal/RoleModule");
       Role role = module.findRoleByName(username);
       userrole = role.getDisplayName();
       if(role != null){
       System.out.println("&**&*& Role is: " + userrole);
       }else{
       System.out.println("&*&*& Role is null");
       }
       }catch(Exception e){
       System.out.println("&*&*&* InitialContext error");
       }
       return userrole;
       }
      


      When those codes are executed, I got these errors:

      17:29:58,109 ERROR [HibernateRoleModuleImpl] Cannot find role by name jduke1
      org.hibernate.HibernateException: Unable to locate current JTA transaction
      at org.hibernate.context.JTASessionContext.currentSession(JTASessionCont
      ext.java:61)
      at org.hibernate.impl.SessionFactoryImpl.getCurrentSession(SessionFactor
      yImpl.java:544)
      at org.jboss.portal.identity.db.HibernateRoleModuleImpl.getCurrentSessio
      n(HibernateRoleModuleImpl.java:386)
      at org.jboss.portal.identity.db.HibernateRoleModuleImpl.findRoleByName(H
      ibernateRoleModuleImpl.java:101)
      at com.lmco.eagan.e2els.jboss.portlet.test.Users.getUserRole(Unknown Sou
      rce)
      at com.lmco.eagan.e2els.jboss.portlet.jsp.HelloWorldJSPPortlet.doView(Un
      known Source)
      at javax.portlet.GenericPortlet.doDispatch(GenericPortlet.java:133)
      at javax.portlet.GenericPortlet.render(GenericPortlet.java:306)
      at org.jboss.portal.portlet.impl.jsr168.PortletContainerImpl.invokeRende
      r(PortletContainerImpl.java:483)
      at org.jboss.portal.portlet.impl.jsr168.PortletContainerImpl.dispatch(Po
      rtletContainerImpl.java:405)
      at org.jboss.portal.portlet.container.PortletContainerInvoker$1.invoke(P
      ortletContainerInvoker.java:86)
      at org.jboss.portal.common.invocation.Invocation.invokeNext(Invocation.j
      ava:131)
      at org.jboss.portal.core.aspects.portlet.TransactionInterceptor.org$jbos
      s$portal$core$aspects$portlet$TransactionInterceptor$invokeNotSupported$aop(Tran
      sactionInterceptor.java:86)
      at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
      tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
      rted_N4547270787964792031.java)
      at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
      at org.jboss.aspects.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.
      java:112)
      at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
      tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
      rted_N4547270787964792031.java)
      at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
      at org.jboss.aspects.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.
      java:102)
      at org.jboss.portal.core.aspects.portlet.TransactionInterceptor$invokeNo
      tSupported_N4547270787964792031.invokeNext(TransactionInterceptor$invokeNotSuppo
      rted_N4547270787964792031.java)
      .....


      My question is: is there a way to get the user role from LDAP? Am I missing something in the codes above or is there anything else I should do?

      Your help is greatly appreciated

      Thanks,

      SGM

        • 1. Re: Can not get user role from LDAP server
          Boleslaw Dawidowicz Master

          Im really suprised that "org.jboss.security.auth.spi.LdapExtLoginModule" has something to do with options like "userModuleJNDIName" or "additionalRole". What is in your identity-config.xml? Did you read "LDAP" chapter in portal ReferenceGuide or tried to follow LDAP tutorial from blog?

          • 2. Re: Can not get user role from LDAP server
            tl le Newbie

            Hi,
            I changed the code in the login-config.xml a little bit to match the instruction in the wiki

            http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication

            I did not modify the identity-config.xml. The login-config.xml is the only place that I made changes to

            <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
             <module-option name="unauthenticatedIdentity">guest</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="password-stacking">useFirstPass</module-option>
             </login-module>
             <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
             <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="roleAttributeID">member</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="roleNameAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">true</module-option>
             <module-option name="searchTimeLimit">5000</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             </login-module>
            


            but I still get the same error when trying to get the user role with the same codes as posted above. This time when I enter username/password and hit enter key, there are some errors at first

            21:55:30,343 ERROR [STDERR] java.lang.NullPointerException
            21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.getURLScheme(Init
            ialContext.java:269)
            21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.getURLOrDefaultIn
            itCtx(InitialContext.java:318)
            21:55:30,343 ERROR [STDERR] at javax.naming.InitialContext.lookup(InitialCon
            text.java:392)
            21:55:30,343 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginM
            odule.getUserProfileModule(IdentityLoginModule.java:127)
            21:55:30,343 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginM
            odule$1.run(IdentityLoginModule.java:220)
            21:55:30,343 ERROR [STDERR] at org.jboss.portal.common.transaction.Transacti
            ons.apply(Transactions.java:219)
            21:55:30,343 ERROR [STDERR] at org.jboss.portal.common.transaction.Transacti
            ons.required(Transactions.java:289)
            .....


            I am really confused about the instruction in the reference guide as I went through those few times but haven't gained any success of connecting to LDAP server (in my case, OpenDS).
            I picked the solution in the wiki because it worked for me but now, I am stuck in getting user role straight out from the LDAP. Is there a way to get those roles?

            Thanks,

            SGM

            • 4. Re: Can not get user role from LDAP server
              tl le Newbie

              Thanks a million for the tutorials. It worked perfectly. I am now able to connect to LDAP server and retrieve the user role. Here is that I've done in case of other people would like to know how to do it
              1. Follow the instructions in those tutorials above for LDAP connection
              2. To retrieve user roles,
              2.1 add these codes into ldap_identity-config.xml

              <option-group>
               <group-name>common</group-name>
               <option>
               <name>userCtxDN</name>
               <value>ou=People,o=test,dc=portal,dc=example,dc=com</value>
               </option>
               <option>
               <name>roleCtxDN</name>
               <value>ou=Roles,o=test,dc=portal,dc=example,dc=com</value>
               </option>
               <option>
               <name>userSearchFilter</name>
               <value><![CDATA[(uid={0})]]></value>
               </option>
               <option>
               <name>roleSearchFilter</name>
               <value><![CDATA[(cn={0})]]></value>
               </option>
               <option>
               <name>membershipAttributeID</name>
               <value>member</value>
               </option>
              
               </option-group>
              



              <module>
               <!--type used to correctly map in IdentityContext registry-->
               <type>User</type>
               <implementation>LDAP</implementation>
               <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
               <config/>
               </module>
               <module>
               <type>Role</type>
               <implementation>LDAP</implementation>
               <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
               <config/>
               </module>
               <module>
               <type>Membership</type>
               <implementation>LDAP</implementation>
               <class>org.jboss.portal.identity.ldap.LDAPStaticGroupMembershipModuleImpl</class>
               <config/>
               </module>
              


              2.2 Here are some codes that retrieve all roles associates with a specific username
              try{
               MembershipModule membershipmodule = (MembershipModule)new InitialContext().lookup("java:/portal/MembershipModule");
               User user = usermodule.findUserByUserName("Put_your_username_ here");
               Set roles = membershipmodule.getRoles(user);
               Iterator iter = roles.iterator();
               while(iter.hasNext()){
               role = (Role)iter.next();
               System.out.println("Role: " + role.getDisplayName());
              
               }
              }catch(Exception e){
               // Do something here
              }
              


              SGM