1 Reply Latest reply on Mar 17, 2005 6:39 AM by k erneljack

    authenticating to LDAP on an Apple Xserve?

    k erneljack Newbie

      Hi, I'm currently using JBoss-2.4.4 and am trying to log in to the LDAP server on an Apple XServe machine. I'm a newcomer to LDAP and I don't understand what I'm doing wrong.

      I'm using the org.jboss.security.ClientLoginModule on the client side to login, and on the server side I have defined the following in auth.conf:

      myldap {
      org.jboss.security.auth.spi.LdapLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.provider.url="ldap://192.168.2.25:389"
      java.naming.security.authentication="simple"
      principalDNPrefix="uid="
      principalDNSuffix=",cn=users,dc=localdomain"
      matchOnUserDN="true"
      rolesCtxDN="cn=groups,dc=localdomain"
      roleAttributeName="memberUid="
      roleAttributeIsDN="false"
      ;
      };

      I've tried many different combinations of these values and I think I have managed to log in with the principal, but roles are not working. I get the following error each time I try to log in:

      [ERROR,SecurityInterceptor] Insufficient method permissions, principal=admin2, method=create, requiredRoles=[Staff], principalRoles=[]

      This seems to suggest that my roles are not being mapped. I am attaching the 'users' and 'group' snippets of the Xserve's schema which I exported to LDIF:

      FOR the USERS:

      dn: cn=users, dc=localdomain
      objectClass: container
      cn: users

      dn: uid=admin2, cn=users, dc=localdomain
      apple-user-homeurl: <home_dir>afp://192.168.2.25/Usersadmin2
      </home_dir>
      apple-generateduid: 964B2758-6896-11D9-81D5-000393BB05EC
      sn: 99
      userPassword:: xxxxxxxxx
      loginShell: /bin/bash
      uidNumber: 1025
      gidNumber: 20
      authAuthority: ;ApplePasswordServer; xxxxxxxxxx root@server.localdomain:192.168.2.25
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: shadowAccount
      objectClass: apple-user
      objectClass: extensibleObject
      objectClass: organizationalPerson
      objectClass: top
      objectClass: person
      uid: admin2
      cn: admin2
      homeDirectory: /Users/admin2


      FOR the GROUPS:

      dn: cn=groups, dc=localdomain
      objectClass: container
      cn: groups

      dn: cn=clientservices, cn=groups, dc=localdomain
      gidNumber: 1025
      memberUid: someone
      memberUid: admin2
      apple-group-realname: clientservices
      apple-generateduid: A5D8329C-6897-11D9-81D5-000393BB05EC
      objectClass: posixGroup
      objectClass: apple-group
      objectClass: extensibleObject
      objectClass: top
      cn: clientservices

      As you can see from the Exception, I am trying to log in as 'admin2' and 'admin2' is a member of the 'clientservices' group, however, it does not seem to be able to find this mapping.

      I am also confused as to whether I should be 'authenticating' using this method, or can I merely create an InitialContext using the LDAP server from within my code, give it the credentials and login successfully? If I do this, I suppose I will lose the benefit of declarative security on the server side won't I? i.e. I think I will then have to manage method level permissions myself?

      Any help appreciated, thanks,

      Khusro

        • 1. Re: authenticating to LDAP on an Apple Xserve?
          k erneljack Newbie

          I think I solved it, I'm still using the ClientLoginModule on the client-side, and the following mapping seems to have solved it, I can now see the roles properly:

          myldap {
          org.jboss.security.auth.spi.LdapLoginModule required
          java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
          java.naming.provider.url="ldap://192.168.2.25:389"
          java.naming.security.authentication="simple"
          principalDNPrefix="uid="
          principalDNSuffix=",cn=users,dc=localdomain"
          //matchOnUserDN="true"
          uidAttributeID="memberUid"
          rolesCtxDN="cn=groups,dc=localdomain"
          roleAttributeID="cn"
          //roleAttributeIsDN="false"
          ;
          };