2 Replies Latest reply on Mar 15, 2004 7:22 AM by cane74

    Help - can't access user roles in LDAP

    cane74 Newbie

      Hi.

      I have configured JBoss to authenticate users in LDAP directory. Users are authenticated properly, but their roles aren't mirrored in JBoss. I tried many configurations in login-config.xml but it still doesn't work. Server.log contains such entries after user login:

      2004-03-12 16:44:20,953 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@ef9d00
      2004-03-12 16:44:20,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'fsmith' authenticated, loginOk=true
      2004-03-12 16:44:20,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
      2004-03-12 16:44:20,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.iqweb] updateCache, subject=Subject:
       Principal: fsmith
       Principal: Roles(members)
      


      Below are parts of LDAP schema and login-config.xml. Thanks for any suggestions.

      Best regards,
      Bart

      login-config.xml:

       <application-policy name="iqweb">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://magnat/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=People,dc=iqtech,dc=pl</module-option>
       <module-option name="rolesCtxDN">ou=Roles,dc=iqtech,dc=pl</module-option>
       <module-option name="matchOnUserDN">true</module-option> <!-- false also doesn't work -->
       <module-option name="uidAttributeID">uniqueMember</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       </login-module>
       </authentication>
       </application-policy>
      



      LDAP ldif:

      # OU DEFINITIONS
      # People OU - for holding records of all individuals
      dn: ou=People,dc=iqtech,dc=pl
      ou: People
      objectClass: top
      objectClass: organizationalUnit
      
      # Groups OU - for holding records of groupings of individuals
      dn: ou=Groups,dc=iqtech,dc=pl
      ou: Groups
      objectClass: top
      objectClass: organizationalUnit
      
      # Roles OU - for holding records of roles and the groups to which those roles have been assigned
      dn: ou=Roles,dc=iqtech,dc=pl
      ou: Roles
      objectClass: top
      objectClass: organizationalUnit
      
      # PEOPLE ENTRIES
      dn: uid=lrussell,ou=People,dc=iqtech,dc=pl
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      sn: Russell
      cn: Luc
      uid: lrussell
      userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y=
      mail: lrussell@sample.com
      
      dn: uid=jbloggs,ou=People,dc=iqtech,dc=pl
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      sn: Bloggs
      cn: Joe
      uid: jbloggs
      userpassword: no3XJAZeeb9AKbGNY65/masWpZE=
      mail: jbloggs@sample.com
      
      dn: uid=fsmith,ou=People,dc=iqtech,dc=pl
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      sn: Smith
      cn: Fred
      uid: fsmith
      userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE=
      mail: fsmith@sample.com
      
      
      # GROUPS ENTRIES
      dn: cn=Users,ou=Groups,dc=iqtech,dc=pl
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: Users
      uniqueMember: uid=jbloggs,ou=People,dc=iqtech,dc=pl
      uniqueMember: uid=fsmith,ou=People,dc=iqtech,dc=pl
      
      dn: cn=Member_admins,ou=Groups,dc=iqtech,dc=pl
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: Member_admins
      uniqueMember: uid=lrussell,ou=People,dc=iqtech,dc=pl
      
      dn: cn=Everyone,ou=Groups,dc=iqtech,dc=pl
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: Everyone
      uniqueMember: uid=jbloggs,ou=People,dc=iqtech,dc=pl
      uniqueMember: uid=fsmith,ou=People,dc=iqtech,dc=pl
      uniqueMember: uid=lrussell,ou=People,dc=iqtech,dc=pl
      
      # ROLES ENTRIES
      dn: cn=Authenticated_users,ou=Roles,dc=iqtech,dc=pl
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: Authenticated_users
      uniqueMember: cn=Everyone,ou=Groups,dc=iqtech,dc=pl
      
      dn: cn=Member_admin,ou=Roles,dc=iqtech,dc=pl
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: Member_admin
      uniqueMember: cn=Member_admins,ou=Groups,dc=iqtech,dc=pl