4 Replies Latest reply on Sep 30, 2009 3:49 PM by cc_humbry

    LDAP authorisation and roles

    cc_humbry
    cc_humbry Sep 25, 2009 3:39 PM

      I have the following in my components.xml to use ldapIdentityStore


      <security:ldap-identity-store
                server-address="ldap1r.server"
                bind-DN="authuser"
                bind-credentials="secret" 
                user-DN-prefix="cn="
                user-DN-suffix=",ou=Users,ou=RESOURCES,o=KENT" 
                role-DN-prefix="cn="
                role-DN-suffix=",ou=Groups,ou=RESOURCES,o=KENT" 
                user-context-DN="ou=Users,ou=RESOURCES,o=KENT"
                role-context-DN="ou=Groups,ou=RESOURCES,o=KENT" 
                user-role-attribute="groupMembership"
                role-name-attribute="cn" 
                user-object-classes="Person,organizationalPerson,inetOrgPerson,groupOfNames"
                role-object-classes="group,organizationalUnit"
                first-name-attribute="givenName"
                full-name-attribute="fullName"
                last-name-attribute="tcSurname"
                 />



      This is fine and have got authentication working no problem. (couldn't believe how easy that was). However, when I am trying to use roles from LDAP for authorization, I have become unstuck.
      When I try 


      log.debug("role size => " +  + identityManager.getImpliedRoles(identity.getCredentials().getUsername()).size());
            log.debug("roles => " + identityManager.getImpliedRoles(identity.getCredentials().getUsername()));
           



      to see what roles are, it only has one role. I actually have about 20 in my LDAP entry. These all are on the attribute name groupMembership. So when I use identity.hasRole(admin) for example it fails as there is only one role in the list. This is an arbitary one in the list - not the first and not the last.
      I have searched and searched for this type of issue, but no one else appears to be discussing this.


      Any pointers?
      using Seam 2.1.1 on GlassFish.


      Thanks
      Conrad

        • 1. Re: LDAP authorisation and roles
          tmalatinszki
          tmalatinszki Sep 26, 2009 5:31 PM (in response to cc_humbry)

          Hi Conrad,


          If You are listing all roles from identityManager like this:


          for(String role:identityManager.getImpliedRoles(identity.getCredentials().getUsername())){
   log.info("Role is: "+role);
}



          do You receives all of Your groups?


          Regards,
          Tamas

            • Actions
          • 2. Re: LDAP authorisation and roles
            cc_humbry
            cc_humbry Sep 28, 2009 12:15 PM (in response to cc_humbry)

            Hi Tamas,
            Thanks for reading and replying to my question.


            I have tried what you suggest and no, only the one group is output, the arbitary one I mention in my original post. Did you have an idea then on what this might be?


            Thanks
            Conrad

              • Actions
            • 3. Re: LDAP authorisation and roles
              cc_humbry
              cc_humbry Sep 30, 2009 10:24 AM (in response to cc_humbry)

              Can anyone help with this?
              I expect to have to create a class or something to move this forward but have no idea where to start as the configuration of the ldap authorisation has been so straightforward and doing so much for me.


              Anyone please?
              Thanks

                • Actions
              • 4. Re: LDAP authorisation and roles
                cc_humbry
                cc_humbry Sep 30, 2009 3:49 PM (in response to cc_humbry)

                I think this is sorted. It appears that the permissions for the security principle that I am using to login to LDAP (as configured in components.xml) aren't sufficient.
                Sorry to trouble anyone.
                Conrad

                  • Actions