3 Replies Latest reply on Aug 2, 2004 10:03 AM by Conor

    LdapLoginModule - How to support this ldap user schema?

    Conor Newbie

      Hi there,
      Here is my structure for users in my ldap server:

      o=mycompany
      |_
      ou=AD
      |_
      cn=user1
      |_
      cn=user2
      |_
      ou=IT
      |_
      cn=user1
      |_
      cn=user2
      |_
      etc.....

      Notice that the ou is the same as the iso country name codes (i.e. AD=Andorra, IT=Italy). When using tomcat, this realm works

      for me:



      As you can see, I can do a user search for this user across numerous ou's (i.e. userSearch="(cn={0})"). However, I do not know how to do the equivalent in jboss. Here's is my configuration so far in jboss, login-config.xml:

      <application-policy name="jmx-console">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option

      name="java.naming.provider.url">ldap://ldap.server.dns.name:ldap.server.dns.portNumber</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=AD,o=mycompany</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <!-- Don't have to worry about roles yet! -->
      <!--module-option name="rolesCtxDN">doLater</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="hashAlgorithm">MD5</module-option-->
      </login-module>

      </application-policy>

      This works fine if the user is in the ou of AD, but not for users in the ou of IT :(. Does anyone know if I can do the above? Is my user schema supported by LdapLoginModule or will I have to write my own variation? If the former, how can I configure login-config.xml to do the same as I'm doing for tomcat?

      Any help/pointers appreciated, am sure I'm not the only one that has users spread across numerous ou's, not just one ou.
      Best,
      Conor