3 Replies Latest reply on Aug 8, 2002 1:20 PM by Uday Kamath

    ldap security,any help appreciated

    Uday Kamath Newbie

      Hi on the iPlanet directory server i added users in ou=People and added a group in the ou=Groups. Then added the user in teh memeber of the Groups and my auth.conf looks like
      OMSLDAP {
      org.jboss.security.plugins.samples.LdapLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      principalDNPrefix="uid="
      principalDNSuffix=",ou=People,dc=eidea,dc=com"
      rolesCtxDN="ou=Groups,dc=eidea,dc=com"
      roleAttributeID="cn"
      uidAttributeID="uniquemember"
      java.naming.provider.url="ldap://ares.eidea.com:389/"
      java.naming.security.authentication="simple"
      matchOnUserDN=true
      ;
      };

      yet when i run i get this error
      [OM] Logging into LDAP server, env={java.naming.factory.initial=
      com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=uid=, java.naming.security.p
      rincipal=uid=UKamath,ou=People,dc=eidea,dc=com, roleAttributeID=cn, matchOnUserD
      N=true, principalDNSuffix=,ou=People,dc=eidea,dc=com, rolesCtxDN=ou=Groups,dc=ei
      dea,dc=com, java.naming.provider.url=ldap://ares.eidea.com:389/, uidAttributeID=
      uniquemember, java.naming.security.authentication=simple, java.naming.security.c
      redentials=kamath}
      [OM] Logged into LDAP server, javax.naming.ldap.InitialLdapConte
      xt@6c9f0f
      [OM] Insufficient method permissions, principal=UKamath, method=
      create, requiredRoles=[omsuser]

      Has anyone faced this problem...please share if u know the problem
      Thanks
      Uday

        • 1. Re: ldap security,any help appreciated
          J. Wolfgang Kaltz Novice

          > yet when i run i get this error
          (...)
          > [OM] Insufficient method permissions,
          > principal=UKamath, method=
          > create, requiredRoles=[omsuser]

          You don't provide much information (such as, what is it you are trying to run), but judging from the error message, my best guess is :
          you're calling ejb create(), and you deployed the ejb with security constraints specifying that its methods (or at least its create method) requires the user to be in the role omsuser. And the user who is logging in is not in that role.

          • 2. Re: ldap security,any help appreciated
            Uday Kamath Newbie

            Thanks for your reply on Jboss, i ma writing the mail to your accoutn as i found no one replies except some pople like you, so please i would be obliged if you spend 2 minutes and see if i am doing something wrong.
            1. My Server is Jboss(2.2.2, not 3.0 because of soem transaction problems and not 2.4.* becuase of classloader problems between mbeans and deployed beans) and my directory is
            iPlane 5.1
            2. I ahve my directory structure as
            com
            eidea
            ou=People
            cn=UKamath

            ou=Groups
            cn=omsuser
            uniquemember=UKamath
            I added allthis using iPlanet console.

            3. My auth.conf looks like

            OMSLDAP {
            org.jboss.security.plugins.samples.LdapLoginModule required
            java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
            principalDNPrefix="uid="
            principalDNSuffix=",ou=People,dc=eidea,dc=com"
            rolesCtxDN="ou=Groups,dc=eidea,dc=com"
            roleAttributeID="cn"
            uidAttributeID="uniquemember"
            java.naming.provider.url="ldap://ares.eidea.com:389/"
            java.naming.security.authentication="simple"
            matchOnUserDN=true
            unauthenticatedIdentity="nobody"
            ;
            };

            4. My ejb is a session bean with one method (for testing) needing security at create and at the method and the role is "omsuser".

            5. When i login at client using CLientLoginModule giving userid (UKamath) and password, the server says the user doesn't have the role of omsuser.

            6. Either i am not setting the directory with right stuff or my auth.conf needs a small change as it logs on but no role mapping?

            Please help
            Uday

            • 3. I figured it out
              Uday Kamath Newbie

              I wrote my own custom ldap login module to do that and was sucessful..
              UDay