1 Reply Latest reply on Mar 31, 2004 8:16 PM by Scott Stark

    again a problem with LdapLoginModule

    Frédéric Augé Newbie

      Hi,

      I searched in the forum, and found things, but never all the correct informations somewhere. I also read the jaas-howto, but not much about ldap.
      Well it's been 2 days, and I can't have the roles for my users !

      First, the ldap structure:
      This is the Tomcat sample schema which is exactly the structure I have here.

      dc=mycompany,dc=com
      |_
       ou=people
       |_
       uid=user1
       |_
       uid=user2
      |_
       ou=groups
       |_
       cn=role1
       uniqueMember=uid=user1,ou=people,dc=mycompany,dc=com
       uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com
       |_
       cn=role2
       uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com
      


      I can authenticate users (on openldap), but they never have their roles...
      I'm sure about my ldap, it works nice with Tomcat.

      Here is my config:
       <application-policy name="sicliRealm">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option
      
      name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option>
       <module-option name="rolesCtxDN">ou=groups,dc=mycompany,dc=com</module-option>
       <module-option name="uidAttributeID">uniqueMember</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="matchOnUserDN">false</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      I tried so many combinations, but never had any roles on a user.
      So my first question is, what's wrong ? how should I setup the LdapLoginModule ?

      My second problem is with Oracle OID, it needs authentification before any ldap access.
      I tried those properties (found somewhere in the forum) but nothing changed:
      <module-option name="java.naming.security.principal">uid=user1,ou=people,dc=mycompany,dc=com</module-option>
      <module-option name="java.naming.security.credentials">user1Pass</module-option>
      


      How to be authenticated ?

      Thanks a lot,
      Frederic


        • 1. Re: again a problem with LdapLoginModule
          Scott Stark Master

          The LdapLoginModule does not support your roles schema. It expects a schema like the following:

          dc=mycompany,dc=com
          |_
           ou=people
           |_
           uid=user1
           |_
           uid=user2
          |_
           ou=groups
           |_
           uniqueMember=uid=user1,ou=people,dc=mycompany,dc=com
           +role=role11,role=role12
           |_
           uniqueMember=uid=user2,ou=people,dc=mycompany,dc=com
           +role=role21,role=role22
          


          Write your own variation that changes the ldap query for the roles.