3 Replies Latest reply on Aug 30, 2004 11:37 AM by zparticle

    [LdapLoginModule] Problem when principalDNSuffix = rolesCtxD


      I have to authenticate and authorize users against the following LDAP schema:

      o=myCorp,c=DE ---
       ---> ou=Users,... ---
       ---> uid=joedev...
       uid: uid=joedev,ou=Users,...
       realName: Joe Develop
       memberOf: role1
       memberOf: role2
       userPassword: xZ...jk=

      What makes this different from the example configuration to be found in AdminDevel_323.pdf - which I have been studying inside out - is that a user's roles are stored in the same node as the user himself.

      My realm definition thus far is

      <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
       <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name = "java.naming.security.authentication">simple</module-option>
       <module-option name = "java.naming.provider.url">ldap://localhost:389/</module-option>
       <module-option name = "principalDNPrefix">uid=</module-option>
       <module-option name = "principalDNSuffix">,ou=Users,o=myCorp,c=DE</module-option>
       <module-option name = "uidAttributeID">uid</module-option>
       <module-option name = "matchOnUserDN">false</module-option>
       <module-option name = "allowEmptyPasswords">false</module-option>
       <module-option name = "hashAlgorithm">SHA-1</module-option>
       <module-option name = "hashCharset">UTF-8</module-option>
       <module-option name = "hashEncoding">base64</module-option>
       <module-option name = "rolesCtxDN">ou=Users,o=myCorp,c=DE</module-option>
       <module-option name = "roleAttributeID">memberOf</module-option>

      Using this config under JBoss 3.2.1 I succeeded in authenticating user joedev, but failed to assert his roles role1, role2, ... . I have been studying the source code for LdapLoginModule and have tracing for org.jboss.security enabled, so I know that my module-options are passed in as intended. Still JBoss fails to find the roles stored in the memberOf attribute. Any help would be greatly appreciated.

      On a different note: studying the LdapLoginModule source I notice that for the roles search to succeed at all the value of the uidAttributeId attribute (uid) must be the authenticated user's full DN (principalDNPrefix + joedev + principalDNSuffix), NOT just his username (joedev) as I would have expected. Is this behaviour intended?


      Olaf Bergner