1 Reply Latest reply on Mar 17, 2005 6:39 AM by kerneljack

authenticating to LDAP on an Apple Xserve?

kerneljack Mar 14, 2005 12:29 PM

Hi, I'm currently using JBoss-2.4.4 and am trying to log in to the LDAP server on an Apple XServe machine. I'm a newcomer to LDAP and I don't understand what I'm doing wrong.

I'm using the org.jboss.security.ClientLoginModule on the client side to login, and on the server side I have defined the following in auth.conf:

myldap {
org.jboss.security.auth.spi.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
java.naming.provider.url="ldap://192.168.2.25:389"
java.naming.security.authentication="simple"
principalDNPrefix="uid="
principalDNSuffix=",cn=users,dc=localdomain"
matchOnUserDN="true"
rolesCtxDN="cn=groups,dc=localdomain"
roleAttributeName="memberUid="
roleAttributeIsDN="false"
;
};

I've tried many different combinations of these values and I think I have managed to log in with the principal, but roles are not working. I get the following error each time I try to log in:

[ERROR,SecurityInterceptor] Insufficient method permissions, principal=admin2, method=create, requiredRoles=[Staff], principalRoles=[]

This seems to suggest that my roles are not being mapped. I am attaching the 'users' and 'group' snippets of the Xserve's schema which I exported to LDIF:

FOR the USERS:

dn: cn=users, dc=localdomain
objectClass: container
cn: users

dn: uid=admin2, cn=users, dc=localdomain
apple-user-homeurl: <home_dir>afp://192.168.2.25/Usersadmin2
</home_dir>
apple-generateduid: 964B2758-6896-11D9-81D5-000393BB05EC
sn: 99
userPassword:: xxxxxxxxx
loginShell: /bin/bash
uidNumber: 1025
gidNumber: 20
authAuthority: ;ApplePasswordServer; xxxxxxxxxx root@server.localdomain:192.168.2.25
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
uid: admin2
cn: admin2
homeDirectory: /Users/admin2

FOR the GROUPS:

dn: cn=groups, dc=localdomain
objectClass: container
cn: groups

dn: cn=clientservices, cn=groups, dc=localdomain
gidNumber: 1025
memberUid: someone
memberUid: admin2
apple-group-realname: clientservices
apple-generateduid: A5D8329C-6897-11D9-81D5-000393BB05EC
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
cn: clientservices

As you can see from the Exception, I am trying to log in as 'admin2' and 'admin2' is a member of the 'clientservices' group, however, it does not seem to be able to find this mapping.

I am also confused as to whether I should be 'authenticating' using this method, or can I merely create an InitialContext using the LDAP server from within my code, give it the credentials and login successfully? If I do this, I suppose I will lose the benefit of declarative security on the server side won't I? i.e. I think I will then have to manage method level permissions myself?

Any help appreciated, thanks,

Khusro

1. Re: authenticating to LDAP on an Apple Xserve?

kerneljack Mar 17, 2005 6:39 AM (in response to kerneljack)

I think I solved it, I'm still using the ClientLoginModule on the client-side, and the following mapping seems to have solved it, I can now see the roles properly:

myldap {
org.jboss.security.auth.spi.LdapLoginModule required
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
java.naming.provider.url="ldap://192.168.2.25:389"
java.naming.security.authentication="simple"
principalDNPrefix="uid="
principalDNSuffix=",cn=users,dc=localdomain"
//matchOnUserDN="true"
uidAttributeID="memberUid"
rolesCtxDN="cn=groups,dc=localdomain"
roleAttributeID="cn"
//roleAttributeIsDN="false"
;
};
Actions