LDAP multiple OU authentication
ed_mann Oct 25, 2014 11:46 AMI am trying to authenticate users that are in two different OUs' What i have is something like the following.
CN=mann\, ed,OU=IL,OU=Users,OU=User Accounts,DC=example,DC=org
CN=user\, chris,OU=FL,OU=Users,OU=User Accounts,DC=example,DC=org
I can find the user account, however when the authentication happens what is being passed is
CN=mann\, ed,OU=Users,OU=User Accounts,DC=example,DC=org
I am using Picketlink 2.7.0.CR1 and configuring LDAP using IdentityConfigurationBuilder Code is below.
IdentityConfigurationBuilder builder = new IdentityConfigurationBuilder();
builder.named("default").stores().ldap().supportAllFeatures()
.baseDN(ldapConfig.getBaseDn()).activeDirectory(true)
.bindDN(ldapConfig.getBindDn())
.bindCredential(ldapConfig.getBindPassword())
.url(ldapConfig.getUrl()).mapping(Agent.class)
.baseDN(ldapConfig.getAgentDnSuffix())
.objectClasses("user")
.attribute("loginName", CN, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(User.class)
.baseDN(ldapConfig.getUserDnSuffix())
.parentMapping(CN, ldapConfig.getUserDnSuffix())
.objectClasses("user")
.attribute("loginName", "samAccountName", false)
.attribute("firstName", CN, true)
.attribute("lastName", SN).attribute("email", EMAIL)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(Group.class)
.baseDN(ldapConfig.getGroupDnSuffix())
.objectClasses("group")
.attribute("name", CN, true)
.readOnlyAttribute("createdDate", CREATE_TIMESTAMP)
.mapping(Grant.class)
.forMapping(Role.class)
.attribute("assignee", "member")
.mapping(GroupMembership.class)
.forMapping(Group.class)
.attribute("member", "member");
I noticed in class LDAPPlainTextPasswordCredentialHandler.java line 55
String bindingDN = ldapIdentityStore.getBindingDN(account, true);
it's not using the account at all to get the correct path to help authenticate the users with. It's getting the baseDN, as i was thinking that would be used as a base to start the search, it now looks like it uses that to build the DN to authenticate the user.
Is there a way i can authenticate both OU's?
Thanks for any help.
On another note i have patched the system to fix [PLINK-555] LDAPIdentityStore.getBindingDN returns incorrect value if there are commas in the bindingAttribute - JBoss I… My changes cover both authenticating users and also matching groups. All unit tests pass with my changes and i didn't need to alter the tests in any way. I plan on committing my code to my fork of picketlink on github and posting patch set to the ticket.