-
1. Re: LdapIdentityStore assumes roles are attributes of users ?
shane.bryzak Nov 2, 2008 10:58 AM (in response to matteg.gerry.matte.shaw.ca)Sure, you can use groupOfNames. Just add it to the list of person classes (so it will be
inetOrgPerson,groupOfNames
) and then set the user role attribute tomember
. Then this attribute will contain a list of roles that the person is a member of. -
2. Re: LdapIdentityStore assumes roles are attributes of users ?
matteg.gerry.matte.shaw.ca Nov 4, 2008 4:21 AM (in response to matteg.gerry.matte.shaw.ca)Thanks for the suggestion Shane. I would not have thought to tell the identity store that groupOfNames was a valid user class. I assumed that only parent object types were allowed.
In any case, that didn't work ....
When I authenticate using JBoss LdapExtLoginModule with login-config.xml, both authentication and authorisation work flawlessly:
<application-policy name="IntranetLDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=administrator,dc=dmsservices,dc=ca</module-option>
<module-option name="bindCredential">admin1</module-option>
<module-option name="baseCtxDN">ou=People,dc=dmsservices,dc=ca</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
Here is the components.xml that I use for my ldapIdentityStore (users authenticate but roles are not resolved correctly)
<security:ldap-identity-store name="ldapIdentityStore"
server-address="127.0.0.1"
user-context-DN="ou=People,dc=dmsservices,dc=ca"
user-DN-prefix="cn="
user-DN-suffix=",ou=People,dc=dmsservices,dc=ca"
role-context-DN="ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca"
role-DN-prefix="cn="
role-DN-suffix=",ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca"
bind-DN="cn=administrator,dc=dmsservices,dc=ca"
bind-credentials="admin1"
user-role-attribute="member"
role-attribute-is-DN="true"
first-name-attribute="givenName"
full-name-attribute="displayName"
role-name-attribute="cn"
role-object-classes="groupOfNames"
user-object-classes="inetOrgPerson,groupOfNames"
/>
I really can not see why adding groupOfNames to user-object-classes would make a difference since groupOfNames is already specified in role-object-classes
Testing with the role object class addedd to user-object-class did not cause success on the role search.
I'm very aware that a minor typo such as a missing comma could be killing my configuration ...... any other ideas or suggestions ? -
3. Re: LdapIdentityStore assumes roles are attributes of users ?
shane.bryzak Nov 4, 2008 4:52 AM (in response to matteg.gerry.matte.shaw.ca)My apologies, I read your original post too quickly and missed the fact that the role to person mapping is inverse. Hmmm, someone requested such a feature in JIRA and at the time I rejected the issue as it didn't seem to be a very normalised model having the role contain a list of its members. However, from what you're saying it seems as though this might be quite standard for many LDAP servers. Could you please re-raise this issue in JIRA, and I'll make sure we add support for it in Seam 2.1.1.
-
4. Re: LdapIdentityStore assumes roles are attributes of users ?
matteg.gerry.matte.shaw.ca Nov 4, 2008 5:50 AM (in response to matteg.gerry.matte.shaw.ca)I'm happy to do so ..... except I'm embarassed to say I don't know how to raise it in JIRA.
If you give me a clue as to how to start I'm happy to do the work since I'm asking for the new functionality ....Thanks
Gerry Matte -
6. Re: LdapIdentityStore assumes roles are attributes of users ?
atdavie Aug 1, 2011 10:19 AM (in response to matteg.gerry.matte.shaw.ca)3 years on from this post and I am wondering what is going on. I am coming to the conclusion that this store dumbs down the normal LDAP handling too much and may not be useful.