to clarify a bit, here's the structure of the ldap we're going to be using:
the divisions are organizationalGroups, and the groups are groupOfNames, the roles are groupOfUniqueNames.
has anyone out there used something similar? i'm really questioning if JBOSS is using the full power of the LDAP. one of LDAP's greatest assests is the ability to nest users inside organizationalGroups and create a tree structure. It might be possible to write a custom Login Module, but it seems like this functionality is basic enough that other people MUST have done it.
Sorry to sound so crazy, but has ANYONE out there done subtree searches?? With either user's stored in different organizational groups, or with roles stored in organizational groups!? this seems ludicrous that there is no one out there that has gone through this.
My 2 euro-cents:
the EJB specification knows only roles, not nested roles. More precisely, it only supports asking whether a user is in a specific role or not - there is no concept of nested roles.
For our ldap authentication, I have written a custom LoginModule, for the following reason : the analysts cannot decide how they want to represent roles in ldap. Therefore I want to have maximum flexibility, knowing that the role representation can change any minute. In your custom login module, you have full control of the getRoles() code for a given user and this is reassuring. As far as I can tell, there is no "official" way in LDAP to represent user roles, so it seems impossible for the JBoss LDAPLoginModule to provide for all possibilities in any case.