3 Replies Latest reply on Jun 17, 2003 6:37 PM by amishguy

    LDAP sub queries with LdapLoginModule

    amishguy Newbie

      Hi there,

      I was wondering if it is possible to do LDAP subqueries
      when using LDAP authentication with JBoss?

      In my case, Users has several subgroups like "Marketing", "Sales", "Business Development", etc. Actual account names are defined within these subgroups, so I want the query to search within all of them for the specified user. I know I can get around this by 'flattening' my LDAP schema (getting rid of the subgroups), but I'd rather not.

      My login-config.xml has an entry similar to the following. Note the full LDAP query should be something like:

      ou=Users,dc=corp,dc=foo,dc=com??sub?(cn=Amish Guy)

      I've been able to get LDAP authentication working, thanks to this forum, but only if I make the query specific to a subgroup (i.e. add in an ou=Marketing). Currently I'm using objectClass=user as the role, but I'll be changing this shortly.

      Thanks for everyone's help so far! :)

      <application-policy name = "myApp">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag = "required" >
      <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name = "java.naming.provider.url">ldap://ldapHost:389/</module-option>
      <module-option name = "java.naming.security.authentication">simple</module-option>
      <module-option name = "principalDNPrefix">ou=Users,dc=corp,dc=foo,dc=com??sub?(cn=</module-option>
      <module-option name = "principalDNSuffix">)</module-option>
      <module-option name = "uidAttributeID">cn</module-option>
      <module-option name = "uidAttributeName">name</module-option>
      <module-option name = "rolesCtxDN">ou=Users,dc=corp,dc=foo,dc=com</module-option>
      <module-option name = "roleAttributeID">objectClass</module-option>