10 Replies Latest reply on Nov 11, 2009 12:47 AM by Charlie B

    LdapIdentityStore

    Charlie B Newbie

      Hi Guys,


      Just have a quick question about configuring LdapIdentityStore in Seam.


      Does the identity store automatically search subtrees under the 'user-DN-suffix'?
      If not, how do you set it up to search sub trees?



      Thanks in advance.


      Charlie

        • 1. Re: LdapIdentityStore
          Shane Bryzak Master

          No, it doesn't support this yet but I think it would be useful.  There is a problem doing this though - where in the tree do new users get created?  The API only provides a method for creating a user using their username, password, firstname and lastname.

          • 2. Re: LdapIdentityStore
            Charlie B Newbie

            Yes, that would be very useful.
            The issue I have, is that the LDAP Tree i'm working with has users under different 'offices'



            - Sites
               - Offices
                  - Office 1
                  - Office 2
                  ...
                  - Office n





            How can I use the LdapIdentityStore to authenticate users under each DN-Suffix?
            In this case, I would have three:




            1. ou=Office 1, ou=Offices, ou=Sites
            2. ou=Office 2, ou=Offices, ou=Sites
            3. ou=Office n, ou=Offices, ou=Sites





            Maybe LdapIdentityStore isnt the best option in this case?


            Charlie

            • 3. Re: LdapIdentityStore
              Shane Bryzak Master

              You would have to extend LdapIdentityStore to achieve this.  The problem remains though where new users get created.

              • 4. Re: LdapIdentityStore
                Charlie B Newbie

                Well in my case, im using LdapIdentityStore mainly for authentication. And not so much to add/edit/delete users.


                Is it still the best option to go with? Or should I go with time simple authenticator?


                If I was to extend the LdapIdentityStore...would I only need to override the authenticate method? And perform all my searches for users under all subtrees from there?


                Thanks for your help.


                Charlie

                • 5. Re: LdapIdentityStore
                  Shane Bryzak Master

                  Since you don't want to actually manage the users it makes it a little easier.  The authenticate() method works by simply taking the username and password values that you provide and using them (in conjunction with the userDNPrefix and userDNSuffix properties) to create the InitialLdapContext. 


                  In your case the userDNSuffix won't be sufficient as it contains a specific value... so what you probably need to do is first bind using the bindDN, then search the subtrees for the user, then once you find it re-bind using the correct userDN.  You probably don't need to override the authenticate() method at all, I'd say you can get away with simply overriding the getUserDN() method to do what I just described.

                  • 6. Re: LdapIdentityStore
                    Charlie B Newbie

                    Thanks for your help Shane.


                    I will give it a try.

                    • 7. Re: LdapIdentityStore
                      Charlie B Newbie

                      Sorry Shane. Just another question for clarification.


                      Does the userDN string that is retured by getUserDN(), get passed to the authenticate() method?


                      Or do I need to do a re-bind within the getUserDN() method first? And then return the userDN if all is ok?


                      If so, does the IdentityManager have a bind method that can be used?


                      • 8. Re: LdapIdentityStore
                        Shane Bryzak Master

                        The authenticate() method calls getUserDN() to get the principal with which to bind with.  You'll need to override this method to bind with the default bindDN, search the subtrees for the actual user entry and then return that value which will then be used to authenticate. Here's some pseudo-code:





                           @Override protected String getUserDN(String username)
                           {
                              InitialLdapContext ctx = null;
                              try
                              {
                                 initialiseContext(getBindDN(), getBindCredentials());
                        
                                 // iterate through subtrees here until the user entry for 'username' is found
                                 String userDNSuffix = userDNThatWasFound;
                        
                                 return String.format("%s%s%s", getUserDNPrefix(), username, userDNSuffix);
                              }
                              catch (NamingException ex)
                              {
                                 throw new IdentityManagementException("Authentication error", ex);
                              }
                              finally
                              {
                                 if (ctx != null) 
                                 {
                                    try
                                    {
                                       ctx.close();
                                    }
                                    catch (NamingException ex) {}
                                 }
                              }  
                           }




                        • 9. Re: LdapIdentityStore
                          Charlie B Newbie

                          Hi,


                          I have setup the ldap-identity-store in my components.xml, but I seem to be getting an exception, and I cant find the actual cause:


                          12:19:38,410 WARN  [SeamLoginModule] Error invoking login method


                          It does not print out any other exception or details...is there anyway to see the full exception so I know where the error is actually coming from?


                          Here is my components.xml




                          <?xml version="1.0" encoding="UTF-8"?>
                          <components xmlns="http://jboss.com/products/seam/components"
                                      xmlns:core="http://jboss.com/products/seam/core"
                                      xmlns:persistence="http://jboss.com/products/seam/persistence"
                                      xmlns:drools="http://jboss.com/products/seam/drools"
                                      xmlns:bpm="http://jboss.com/products/seam/bpm"
                                      xmlns:security="http://jboss.com/products/seam/security"
                                      xmlns:mail="http://jboss.com/products/seam/mail"
                                      xmlns:web="http://jboss.com/products/seam/web"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:schemaLocation=
                                          "http://jboss.com/products/seam/core http://jboss.com/products/seam/core-2.2.xsd
                                           http://jboss.com/products/seam/persistence http://jboss.com/products/seam/persistence-2.2.xsd
                                           http://jboss.com/products/seam/drools http://jboss.com/products/seam/drools-2.2.xsd
                                           http://jboss.com/products/seam/bpm http://jboss.com/products/seam/bpm-2.2.xsd
                                           http://jboss.com/products/seam/security http://jboss.com/products/seam/security-2.2.xsd
                                           http://jboss.com/products/seam/mail http://jboss.com/products/seam/mail-2.2.xsd
                                           http://jboss.com/products/seam/web http://jboss.com/products/seam/web-2.2.xsd
                                           http://jboss.com/products/seam/components http://jboss.com/products/seam/components-2.2.xsd">
                          
                             <core:init debug="@debug@" jndi-pattern="@jndiPattern@"/>
                          
                             <core:manager concurrent-request-timeout="500"
                                           conversation-timeout="120000"
                                           conversation-id-parameter="cid"
                                           parent-conversation-id-parameter="pid"/>
                          
                             <!-- Make sure this URL pattern is the same as that used by the Faces Servlet -->
                             <web:hot-deploy-filter url-pattern="*.seam"/>
                          
                             <!-- If you are still using JBoss 4, uncomment this to have you PU started -->
                             <!-- <persistence:entity-manager-factory name="entityManagerFactory"
                                                persistence-unit-name="koncentrator"
                                                            installed="@seamBootstrapsPu@"/>-->
                               
                             <persistence:managed-persistence-context name="entityManager" auto-create="true"
                                                    entity-manager-factory="@seamEmfRef@"
                                                persistence-unit-jndi-name="@puJndiName@"/>
                          
                             <drools:rule-base name="securityRules">
                                <drools:rule-files><value>/security.drl</value></drools:rule-files>
                             </drools:rule-base>
                          
                             <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
                          
                             <security:identity  remember-me="true"/>
                          
                             <security:ldap-identity-store
                                       name="ldapIdentityStore" 
                                   server-address="ldap://ac3adc01"
                                   server-port="389"
                                   bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local"
                                   bind-credentials="LDAP09SW!"
                                   user-DN-prefix="sAMAccountName="
                                   user-DN-suffix=",ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local"
                                   role-DN-prefix="cn="
                                   role-DN-suffix=",ou=Groups,ou=Sites,dc=StateWater,dc=local"
                                   user-context-DN="ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local"
                                   role-context-DN="ou=Groups,ou=Sites,dc=StateWater,dc=local"
                                   user-role-attribute="memberOf"
                                   role-name-attribute="name"
                                   user-object-classes="person,user"
                                   role-object-classes="group"
                                   enabled-attribute="enabled" />
                                   
                              <security:identity-manager identity-store="#{ldapIdentityStore}"/>
                              
                             <event type="org.jboss.seam.security.notLoggedIn">
                                <action execute="#{redirect.captureCurrentView}"/>
                             </event>
                             <event type="org.jboss.seam.security.loginSuccessful">
                                <action execute="#{redirect.returnToCapturedView}"/>
                             </event>
                          
                             <mail:mail-session host="localhost" port="25"/>
                          
                             <!-- For use with jBPM pageflow or process management -->
                             <!--
                             <bpm:jbpm>
                                <bpm:process-definitions></bpm:process-definitions>
                                <bpm:pageflow-definitions></bpm:pageflow-definitions>
                             </bpm:jbpm>
                             -->
                             
                          </components>



                          Any suggestions would be appreciated.

                          • 10. Re: LdapIdentityStore
                            Charlie B Newbie

                            Does anyone have any advice on this issue?
                            Its not printing the exception stack trace or cause, so im not sure what the problem is at all.


                            Are these, the only three components I need for setting up ldap-identity-store?




                            <security:identity  remember-me="true"/>
                            
                               <security:ldap-identity-store
                                    name="ldapIdentityStore" 
                                     server-address="ac3adc01.StateWater.local"
                                     server-port="389"
                                     bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local"
                                     bind-credentials="LDAP09SW!"
                                     user-DN-prefix="sAMAccountName="
                                     user-DN-suffix=",ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local"
                                     role-DN-prefix="cn="
                                     role-DN-suffix=",ou=Groups,ou=Sites,dc=StateWater,dc=local"
                                     user-context-DN="ou=Parramatta,ou=Offices,ou=Sites,dc=StateWater,dc=local"
                                     role-context-DN="ou=Groups,ou=Sites,dc=StateWater,dc=local"
                                     user-role-attribute="memberOf"
                                     role-name-attribute="name"
                                     user-object-classes="person,user"
                                     role-object-classes="group"
                                     enabled-attribute="enabled" />
                                     
                                <security:identity-manager identity-store="#{ldapIdentityStore}"/>