1 Reply Latest reply on Jul 28, 2011 11:50 PM by Sam H

    Access roles(memberOf attribute) from Active Directory?

    Sam H Newbie

      Hi guys,

      Did anyone succeed in retrieving roles from active directory(AD) using 'memeberOf' attribute?

      If yes, can you shed some light on how this is done?

      BTW, I worked out how to do authentication against AD already with the thread

         http://www.seamframework.org/Community/IdentityManagementActiveDirectory and

      It's the authorization I am having problem with.

      My working code that does only authentication is like:

      public class ActiveDirectoryLdapIdentityStore extends LdapIdentityStore {
              private static final long serialVersionUID = -1250675501823301128L;
              public void init()      {
                  setServerAddress("myorg.co.nz"); // 
                  setBindDN("CN=MyName,OU=MYORG Users,DC=MYORG,DC=co,DC=nz");
                  setBindCredentials( "welcome777" ); // swap in real password
                  setUserContextDN("OU=MOEST Users,DC=moest,DC=govt,DC=nz");
                  // this is required else authentication exception when listing roles with IdentityStore.listRoles();
                  setRoleContextDN("OU=MYORG Users,DC=myorg,DC=co,DC=nz");  
                  setUserRoleAttribute( "memberOf" );
              protected String getUserDN(String username)
                      return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix());

      Am I right to assume that to be able to retrieve value of memberOf attribute, the user I used to login (i.e. setBindDN(..) above) needs to have admin right in context specified by user-context-dn attribute, whose value is set in setUserContextDN(...)?

      Thanks in advance


        • 1. Re: Access roles(memberOf attribute) from Active Directory?
          Sam H Newbie

          Just to answer my own question so it may help others. The user used to login doesn't need to have admin right. Just a user account for the sole purpose of connecting to AD.

          The trick of doing authorization is to retrieve a list of roles granted to user like:

            adStore.getGrantedRoles( username );

          where adStore is a custom class that extends LdapIdentityStore.

          Assuming the location or distinguished name of the group that holds all secruity roles is: "OU=Security,OU=MyOrg Groups,DC=org,DC=nz" (one can find out this value using a tool 'ADSI Edit' in windows xp/2003)

          Then to list all security roles, the custom class needs to set the following properties like:


          `setRoleContextDN("OU=Security,OU=MyOrg Groups,DC=org,DC=nz");
            setRoleObjectClass( new String[]{ "group" }  ); // this is always group
            setRoleNameAttribute( "name" ); // this is always name`

          The in your authenticator class Authenticator.java, all roles can be listed like:

            List<String> roles = adStore.listRoles();

          Note the roles returned by adStore.getGrantedRoles has to be a subset of

          That's all. Good luck.