3 Replies Latest reply on Mar 4, 2002 8:19 AM by J. Wolfgang Kaltz

    LDAP nested users/roles

    ryan sonnek Newbie

      Has anyone out there dealt with setting up JBOSS to authenticate with nested roles? (eg. a base role that has as a member, another role)

      also, is there a way to preform a subtree search for users? (eg. users are placed in organizational groups, and then users are assigned to roles)

        • 1. Re: LDAP nested users/roles
          ryan sonnek Newbie

          to clarify a bit, here's the structure of the ldap we're going to be using:


          the divisions are organizationalGroups, and the groups are groupOfNames, the roles are groupOfUniqueNames.

          has anyone out there used something similar? i'm really questioning if JBOSS is using the full power of the LDAP. one of LDAP's greatest assests is the ability to nest users inside organizationalGroups and create a tree structure. It might be possible to write a custom Login Module, but it seems like this functionality is basic enough that other people MUST have done it.

          • 2. Re: LDAP nested users/roles
            ryan sonnek Newbie

            Sorry to sound so crazy, but has ANYONE out there done subtree searches?? With either user's stored in different organizational groups, or with roles stored in organizational groups!? this seems ludicrous that there is no one out there that has gone through this.

            • 3. Re: LDAP nested users/roles
              J. Wolfgang Kaltz Novice

              My 2 euro-cents:
              the EJB specification knows only roles, not nested roles. More precisely, it only supports asking whether a user is in a specific role or not - there is no concept of nested roles.

              For our ldap authentication, I have written a custom LoginModule, for the following reason : the analysts cannot decide how they want to represent roles in ldap. Therefore I want to have maximum flexibility, knowing that the role representation can change any minute. In your custom login module, you have full control of the getRoles() code for a given user and this is reassuring. As far as I can tell, there is no "official" way in LDAP to represent user roles, so it seems impossible for the JBoss LDAPLoginModule to provide for all possibilities in any case.