0 Replies Latest reply on Oct 25, 2014 11:46 AM by Edward Mann

    LDAP multiple OU authentication

    Edward Mann Newbie

      I am trying to authenticate users that are in two different OUs' What i have is something like the following.


      CN=mann\, ed,OU=IL,OU=Users,OU=User Accounts,DC=example,DC=org

      CN=user\, chris,OU=FL,OU=Users,OU=User Accounts,DC=example,DC=org


      I can find the user account, however when the authentication happens what is being passed is

      CN=mann\, ed,OU=Users,OU=User Accounts,DC=example,DC=org


      I am using Picketlink 2.7.0.CR1 and configuring LDAP using IdentityConfigurationBuilder Code is below.


      IdentityConfigurationBuilder builder = new IdentityConfigurationBuilder();









                      .attribute("loginName", CN, true)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)



                      .parentMapping(CN, ldapConfig.getUserDnSuffix())


                      .attribute("loginName", "samAccountName", false)

                      .attribute("firstName", CN, true)

                      .attribute("lastName", SN).attribute("email", EMAIL)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)




                      .attribute("name", CN, true)

                      .readOnlyAttribute("createdDate", CREATE_TIMESTAMP)



                      .attribute("assignee", "member")



                      .attribute("member", "member");


      I noticed in class LDAPPlainTextPasswordCredentialHandler.java line 55

      String bindingDN = ldapIdentityStore.getBindingDN(account, true);

      it's not using the account at all to get the correct path to help authenticate the users with. It's getting the baseDN, as i was thinking that would be used as a base to start the search, it now looks like it uses that to build the DN to authenticate the user.

      Is there a way i can authenticate both OU's?


      Thanks for any help.


      On another note i have patched the system to fix [PLINK-555] LDAPIdentityStore.getBindingDN returns incorrect value if there are commas in the bindingAttribute - JBoss I… My changes cover both authenticating users and also matching groups. All unit tests pass with my changes and i didn't need to alter the tests in any way. I plan on committing my code to my fork of picketlink on github and posting patch set to the ticket.