6 Replies Latest reply on Aug 1, 2011 10:19 AM by atdavie

    LdapIdentityStore assumes roles are attributes of users ?

    matteg.gerry.matte.shaw.ca

      I was very pleased to see the new LdapIdentityStore.  It looks to be a powerful and highly flexible identity store. 


      However, as I tried to configure it to match my ldap server directory tree, I discovered (I think) that the LdapIdentityStore assumes that user roles can be stgored as an attribute of a user object.


      My open ldap server stores users as objects of type inetOrgPerson as defined in RFC2798.  There is no available attribute for a a list of roles as defined by the configuration property user-role-attribute on page 262 of the seam user guide. . 


      Also, the configuration property user-object-classes suggests default values of person, uidObject.  Neither of these objects has a defined attribute that is suitable to hold a list of roles.


      Consequently I was able to use LsapIdentityStore for Authentication but not for Authorisation (roles).


      Most examples of ldap trees seem to use an object type groupOfNames to store roles.  That object then keeps multiple member attributes whose value is the dn of the users who can hold that role.


      Because I've been using the Jboss LdapExtLoginModule for container based JAAS security, I was able to configure SEAM to use container based security as described in section 15.3.9.1.


      However, I'd still like to use LsapIdentityStore because it would allow me to redesign my directory tree.

        • 1. Re: LdapIdentityStore assumes roles are attributes of users ?
          shane.bryzak

          Sure, you can use groupOfNames.  Just add it to the list of person classes (so it will be inetOrgPerson,groupOfNames) and then set the user role attribute to member.  Then this attribute will contain a list of roles that the person is a member of.

          • 2. Re: LdapIdentityStore assumes roles are attributes of users ?
            matteg.gerry.matte.shaw.ca
            Thanks for the suggestion Shane.  I would not have thought to tell the identity store that groupOfNames was a valid user class.  I assumed that only parent object types were allowed.

            In any case, that didn't work ....

            When I authenticate using JBoss LdapExtLoginModule with login-config.xml, both authentication and authorisation work flawlessly:
                <application-policy name="IntranetLDAP">
                <authentication>
                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                       <module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option>
                       <module-option name="java.naming.security.authentication">simple</module-option>
                       <module-option name="bindDN">cn=administrator,dc=dmsservices,dc=ca</module-option>
                       <module-option name="bindCredential">admin1</module-option>
                          <module-option name="baseCtxDN">ou=People,dc=dmsservices,dc=ca</module-option>
                          <module-option name="baseFilter">(cn={0})</module-option>
                       <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca</module-option>
                       <module-option name="roleFilter">(member={1})</module-option>
                       <module-option name="uidAttributeID">member</module-option>
                       <module-option name="roleAttributeID">cn</module-option>
                       <module-option name="roleNameAttributeID">cn</module-option>
                      <module-option name="roleAttributeIsDN">true</module-option>
                      <module-option name="allowEmptyPasswords">false</module-option>
                  </login-module>
                  </authentication>
                </application-policy>
             
            Here is the components.xml that I use for my ldapIdentityStore (users authenticate but roles are not resolved correctly)
              
               <security:ldap-identity-store name="ldapIdentityStore"
                  server-address="127.0.0.1"
                  user-context-DN="ou=People,dc=dmsservices,dc=ca"
                  user-DN-prefix="cn="
                  user-DN-suffix=",ou=People,dc=dmsservices,dc=ca"
                  role-context-DN="ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca"
                  role-DN-prefix="cn="
                  role-DN-suffix=",ou=Webapp-Roles,ou=Groups,dc=dmsservices,dc=ca"
                  bind-DN="cn=administrator,dc=dmsservices,dc=ca"
                  bind-credentials="admin1"
                  user-role-attribute="member"
                  role-attribute-is-DN="true"
                  first-name-attribute="givenName"
                  full-name-attribute="displayName"
                  role-name-attribute="cn"
                  role-object-classes="groupOfNames"
                  user-object-classes="inetOrgPerson,groupOfNames"
                  />

            I really can not see why adding groupOfNames to user-object-classes would make a difference since groupOfNames is already specified in role-object-classes

            Testing with the role object class addedd to user-object-class did not cause success on the role search.

            I'm very aware that a minor typo such as a missing comma could be killing my configuration ......  any other ideas or suggestions ?


            • 3. Re: LdapIdentityStore assumes roles are attributes of users ?
              shane.bryzak

              My apologies, I read your original post too quickly and missed the fact that the role to person mapping is inverse.  Hmmm, someone requested such a feature in JIRA and at the time I rejected the issue as it didn't seem to be a very normalised model having the role contain a list of its members.  However, from what you're saying it seems as though this might be quite standard for many LDAP servers.  Could you please re-raise this issue in JIRA, and I'll make sure we add support for it in Seam 2.1.1.

              • 4. Re: LdapIdentityStore assumes roles are attributes of users ?
                matteg.gerry.matte.shaw.ca

                I'm happy to do so ..... except I'm embarassed to say I don't know how to raise it in JIRA.
                If you give me a clue as to how to start I'm happy to do the work since I'm asking for the new functionality ....


                Thanks
                Gerry Matte

                • 6. Re: LdapIdentityStore assumes roles are attributes of users ?
                  atdavie

                  3 years on from this post and I am wondering what is going on. I am coming to the conclusion that this store dumbs down the normal LDAP handling too much and may not be useful.