1 Reply Latest reply on Jul 28, 2011 11:50 PM by Sam H

    Access roles(memberOf attribute) from Active Directory?

    Sam H Newbie

      Hi guys,


      Did anyone succeed in retrieving roles from active directory(AD) using 'memeberOf' attribute?


      If yes, can you shed some light on how this is done?


      BTW, I worked out how to do authentication against AD already with the thread


         http://www.seamframework.org/Community/IdentityManagementActiveDirectory and
          http://www.seamframework.org/Community/LdapIdentityStoreAndActiveDirectory


      It's the authorization I am having problem with.


      My working code that does only authentication is like:




      @Name("customLdapIdentityStore")
      @Startup
      @AutoCreate
      @Scope(ScopeType.APPLICATION)
      public class ActiveDirectoryLdapIdentityStore extends LdapIdentityStore {
              
              private static final long serialVersionUID = -1250675501823301128L;
      
              @PostConstruct
              public void init()      {
          
                  setServerAddress("myorg.co.nz"); // 
                  setServerPort(389);
                  
                  setBindDN("CN=MyName,OU=MYORG Users,DC=MYORG,DC=co,DC=nz");
                  setBindCredentials( "welcome777" ); // swap in real password
                  
                  setUserDNPrefix("");
                  setUserDNSuffix("myorg.co.nz");
                  setUserNameAttribute("sAMAccountName");
                  
                  setUserContextDN("OU=MOEST Users,DC=moest,DC=govt,DC=nz");
                  
                  // this is required else authentication exception when listing roles with IdentityStore.listRoles();
                  setRoleContextDN("OU=MYORG Users,DC=myorg,DC=co,DC=nz");  
      
                  setUserRoleAttribute( "memberOf" );
      
              }
              
              @Override
              protected String getUserDN(String username)
              {
                      return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix());
              }
      
      }





      Am I right to assume that to be able to retrieve value of memberOf attribute, the user I used to login (i.e. setBindDN(..) above) needs to have admin right in context specified by user-context-dn attribute, whose value is set in setUserContextDN(...)?


      Thanks in advance


      Sam

        • 1. Re: Access roles(memberOf attribute) from Active Directory?
          Sam H Newbie

          Just to answer my own question so it may help others. The user used to login doesn't need to have admin right. Just a user account for the sole purpose of connecting to AD.

          The trick of doing authorization is to retrieve a list of roles granted to user like:

            adStore.getGrantedRoles( username );

          where adStore is a custom class that extends LdapIdentityStore.


          Assuming the location or distinguished name of the group that holds all secruity roles is: "OU=Security,OU=MyOrg Groups,DC=org,DC=nz" (one can find out this value using a tool 'ADSI Edit' in windows xp/2003)

          Then to list all security roles, the custom class needs to set the following properties like:

           

          `setRoleContextDN("OU=Security,OU=MyOrg Groups,DC=org,DC=nz");
            setRoleObjectClass( new String[]{ "group" }  ); // this is always group
            setRoleNameAttribute( "name" ); // this is always name`



          The in your authenticator class Authenticator.java, all roles can be listed like:

            List<String> roles = adStore.listRoles();

          Note the roles returned by adStore.getGrantedRoles has to be a subset of
          adStore.listRoles()


          That's all. Good luck.


          Regards

          Sam