8 Replies Latest reply on Feb 5, 2009 12:11 PM by Greg Wittel

    Admin role ignored when fetched from LDAP

    Oliver Schmidt Newbie

      Hello together,

      I have configured JBoss Portal to use our LDAP's groups as portal roles. As groups don't differ from roles in our LDAP, this works very well except one issue: I created the group "Admin" in the directory and assigned it to the user "olivsch7". When I log in with this user, JBoss Portal doesn't grant him the rights of the "Admin" group although it recognizes that he is its member. In other words, I can see in the portal user management that he is user of the Admin/Administrators group but "olivsch7" cannot access the admin portal. Users in the portal database (who are also member of "Admin") can access the admin portal. Unfortunately, the log files don't give any information about this to me. This is an excerpt:

      2009-01-13 13:35:26,890 DEBUG [org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule] $$Synchronizing user: olivsch7
      2009-01-13 13:35:26,890 DEBUG [org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule] $$Role Group: Roles
      2009-01-13 13:35:26,890 DEBUG [org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule] $$Principal in group: admin; admin
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.jdbc.JDBCContext] successfully registered Synchronization
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.impl.SessionImpl] opened session at timestamp: 5045658119741440
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.engine.query.QueryPlanCache] unable to locate HQL query plan in cache; generating (from HibernateUserImpl where userName=:userName)
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.hql.ast.QueryTranslatorImpl] parse() - HQL: from org.jboss.portal.identity.db.HibernateUserImpl where userName=:userName
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.hql.ast.AST] --- HQL AST ---
       \-[QUERY] 'query'
       +-[SELECT_FROM] 'SELECT_FROM'
       | \-[FROM] 'from'
       | \-[RANGE] 'RANGE'
       | \-[DOT] '.'
       | +-[DOT] '.'
       | | +-[DOT] '.'
       | | | +-[DOT] '.'
       | | | | +-[DOT] '.'
       | | | | | +-[IDENT] 'org'
       | | | | | \-[IDENT] 'jboss'
       | | | | \-[IDENT] 'portal'
       | | | \-[IDENT] 'identity'
       | | \-[IDENT] 'db'
       | \-[IDENT] 'HibernateUserImpl'
       \-[WHERE] 'where'
       \-[EQ] '='
       +-[IDENT] 'userName'
       \-[COLON] ':'
       \-[IDENT] 'userName'
      
      2009-01-13 13:35:26,890 DEBUG [org.hibernate.hql.ast.ErrorCounter] throwQueryException() : no errors


      I'm really clueless about this because when I configure the portal to use our LDAP's roles (instead of groups), it works. Do you have a clue?

      Thank you very much in advance!

      Kind regards
      Oliver

        • 1. Re: Admin role ignored when fetched from LDAP
          Greg Wittel Newbie

          I have a similar problem except that the portal won't recognize admin role when the LDAP server is using roles (vs groups). Any chance you can pass on your working role configuration?

          Thanks,
          -Greg

          • 2. Re: Admin role ignored when fetched from LDAP
            Oliver Schmidt Newbie

            Hello,

            yes, I can. But you'll see that the configuration is disappointingly simple ;-):

            <login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="sufficient">
             <module-option name="synchronizeIdentity">true</module-option>
             <module-option name="synchronizeRoles">true</module-option>
             <module-option name="preserveRoles">false</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="defaultAssignedRole">User</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
             <module-option name="java.naming.provider.url">ldap://address:389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=Directory Manager</module-option>
             <module-option name="bindCredential"></module-option>
             <module-option name="baseCtxDN">ou=People,o=boschrexroth</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=Roles,o=boschrexroth</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
            
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchTimeLimit">10000</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
             </login-module>
            
             <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
             <module-option name="unauthenticatedIdentity">guest</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="validateUserNameCase">true</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             </login-module>


            Although it's no problem to use roles instead of groups, this issue should be covered anyhow. Well, let's see what we can find out.


            • 3. Re: Admin role ignored when fetched from LDAP
              Oliver Schmidt Newbie

              I just had the idea that it might be useful to know which kind of LDAP we use. For me, it's Sun's Java System Directory Server.

              Kind regards

              Oliver

              • 4. Re: Admin role ignored when fetched from LDAP
                Greg Wittel Newbie

                Hi Oliver,

                I am also using SunDS 6.3 (with OpenSSO schema). I'm using the LDAP identity module instead of the SyncLDAP module.

                I found that there was a bug in JBoss where it wasn't retrieving LDAP roles correctly:
                https://jira.jboss.org/jira/browse/JBPORTAL-2282
                In order to trace the bug I had to add a lot of logging to the LDAP module before I figured out what was going on.

                Unfortunately, after fixing the bug, the admin role was still ignored by the portal. I haven't been able to trace it further yet to see what might be the cause. I will update if I find anything.

                • 5. Re: Admin role ignored when fetched from LDAP
                  Greg Wittel Newbie

                  Hi Oliver,

                  I think I found the problem (at least on my end). It looks like something has a hardcoded case-sensitive role 'Admin'. I tested this by creating a role 'admin' and adding a user to it. It was ignored. When I deleted 'admin' from LDAP and added the role 'Admin', the dashboard showed up. Based on your log it looks like you have an 'admin' group.

                  This sounds like a bug. Its rather annoying as I was hoping to use an alternate role name (e.g. portaladmin). The documentation indicates that you can do this, but it doesn't work. Furthermore, it looks like there are many XML files that associate directly with the role 'Admin'. I tried changing all config files to use my alternate admin name and still could not get the CMS admin dashboard to show.

                  I found several fixed Portal bugs surrounding the hardcoded Admin role, but its clear that its not fully fixed.
                  e.g.
                  https://jira.jboss.org/jira/browse/JBPORTAL-1733

                  -Greg

                  • 6. Re: Admin role ignored when fetched from LDAP
                    Boleslaw Dawidowicz Master

                     

                    "glwittel-proofpoint" wrote:

                    I found several fixed Portal bugs surrounding the hardcoded Admin role, but its clear that its not fully fixed.
                    e.g.
                    https://jira.jboss.org/jira/browse/JBPORTAL-1733


                    Greg,

                    I tried and it seems to work fine. I used LDAP with:
                    Roles:
                    - PortalAdmin (contains portaladmin)
                    - PortalUser (contains portaladmin, portaluser)
                    Users:
                    - portaluser
                    - portaladmin

                    Tested with 2.7.1 bundle. You are correct that wiki is missing few configuration files but I managed to find all needed occurences with two simple command:

                    find . -name "*.xml" |xargs grep ">Admin<"
                    find . -name "*.xml" |xargs grep ">User<"
                    


                    Here is a list of files I edited in a bundle to change those default roles and use LDAP. All of the paths are relative to jboss-portal.sar.:

                    ./META-INF/jboss-service.xml
                    ./conf/identity/ldap_identity-config.xml
                    ./portal-wsrp.sar/portal-wsrp-admin.war/WEB-INF/wsrp-object.xml
                    ./portal-wsrp.sar/portal-wsrp-admin.war/WEB-INF/portlet-instances.xml
                    ./portal-admin.sar/portal-admin.war/WEB-INF/portlet-instances.xml
                    ./conf/data/default-object.xml ./conf/identity/standardidentity-config.xml
                    ./portal-core.war/WEB-INF/portlet-instances.xml ./portal-cms.sar/META-INF/jboss-service.xml
                    ./portal-cms.sar/portal-cms.war/WEB-INF/portlet-instances.xml
                    ./portal-identity.sar/portal-identity.war/WEB-INF/portlet-instances.xml
                    ./portal-core.war/WEB-INF/portlet-instances.xml ./portal-identity.sar/conf/identity-ui-configuration.xml


                    Actually few of those changes are probably unnecessary, but it is a very quick list...
                    Dashboard, dashboard configuration and Admin portal were showing up.

                    • 7. Re: Admin role ignored when fetched from LDAP
                      Oliver Schmidt Newbie

                      Thanks, Boleslav!

                      I think this will solve my issue. Have a nice weekend.

                      Kind regards

                      Oliver

                      • 8. Re: Admin role ignored when fetched from LDAP
                        Greg Wittel Newbie

                        Thanks Boleslaw,

                        When I originally tried this on my last post it did not work. I tried again and it still didn't. However, I came across a document:
                        http://www.jboss.org/community/docs/DOC-9821
                        that indicated I might have to delete the Portal databases (Hypersonic and CMS) under: default/data/portal/. After stopping the server, removing default/data/portal, then restarting. The renamed admin roles worked.

                        In case others get stuck -- with the find commands , you only want to change the role related XMl elements, and not

                        <type>User</type>
                        fields as the type ones refer to objects and not roles.

                        Perhaps the Portal documentation needs a more complete howto? Or better yet, a single place where the default roles Admin and User can be globally renamed.

                        -Greg