2 Replies Latest reply on Jul 12, 2009 12:57 PM by Sebatian Ebert

    Problems with ldapIdentityStore and complex Acitve Directory

    Sebatian Ebert Newbie

      Hello together!


      I am new with the Seam Framework. In my application I want to authenticate the User to AD. The Content of my component.xml:




      <security:ldap-identity-store
               server-address="server.company.com"
      
               role-DN-prefix="cn=SVN-Haithabu"
               bind-credentials="secret"             
               bind-DN="cn=Manager,ou=maintenance,ou=Users,ou=Business,dc=company,dc=com"          
      
             role-DN-suffix=",ou=Security Groups,ou=Business,dc=company,dc=com"
             role-context-DN="ou=Security Groups,ou=MyBusiness,dc=company,dc=com"
             
             user-DN-prefix="cn="
             user-DN-suffix=",ou=Users,ou=Business,dc=company,dc=com"
             user-context-DN="ou=Users,ou=Business,dc=company,dc=com"
             user-name-attribute="sAMAccountName"
             user-object-classes="top,person,organizationalPerson,user" 
             user-role-attribute="member"
      
               search-scope="SUBTREE_SCOPE" 
      />





      The Structure of the Active Directory:




      
      - World
        - com
          - company
            - Business
              - Security Groups
                - intern
                - extern
                - admin
                - distribution
                - administration
      
              - Users
                - intern
                - maintenance
                - company
                  - city1
                  - city2
                    - IT
                    - Accounting
                    - Teamleader
                      - Guybrush Threepwood
                      - LeChuck
                      - Herman Toothrot
      




      Last but not least the main parts of the login.xhtml:




       <div class="dialog">
                      <h:panelGrid columns="2" rowClasses="prop" columnClasses="name,value">
                          <h:outputLabel for="username">Username</h:outputLabel>
                          <h:inputText id="username"
                                    value="#{credentials.username}"/>
                          <h:outputLabel for="password">Password</h:outputLabel>
                          <h:inputSecret id="password"
                                      value="#{credentials.password}"/>                    
                      </h:panelGrid>
                  </div>           
              </rich:panel>
              <div class="actionButtons">
                  <h:commandButton value="Login" action="#{identity.login}"/>
              </div>
      



      Now the problem! In my opinion the process of authentification do not check subtrees. If I configure the role-DN-suffix like that I am able to login.



      user-DN-suffix=",ou=Teamleader,ou=city2,ou=company,ou=Users,ou=Business,dc=company,dc=com"



      But then a further problem ist that I can't use the rols. I think this is the same problem with the subtrees.
      The configuration with


       search-scope= SUBTREE_SCOPE 



      doesn't pay anything.



      Has anyone of you an easy idea or solution?


      Thank you all in advance.