3 Replies Latest reply on Sep 12, 2006 9:18 AM by Ralph Soika

    Domino LDAP

    William Rushmore Newbie

      Has anyone got the JBoss LdapLoginModule to work with Lotus Domino? If so please let me know how set up your parameters. Authenticating has been straight forward but I am unable to get a list of groups.

      But maybe someone can help with the LdapLoginModule module parameters. Basiclly this the search filter I want:

      (&(object=dominoGroup)(member=%d))


        • 1. Re: Domino LDAP
          William Rushmore Newbie

          For anyone lurking that has the same issue: I was never able to get it working with JBoss LDAP login module. However, I was able to write my own with little effort. Email me and I'll be happy to share my code with you.

          • 3. Re: Domino LDAP
            Ralph Soika Apprentice

            hi,

            we solved the configuration problems with the following configuration (inside the login-config.xml

            <!-- LDAP login configuration for Domino -->
             <application-policy name="imixsIX">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
             flag="required">
             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
             <module-option name="java.naming.provider.url">ldap://myhostmuc:389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="principalDNPrefix">cn=</module-option>
             <!-- for principalDNSuffix no entry is needed for domino (e.g. o=MYDOMIAN) -->
             <module-option name="principalDNSuffix"></module-option>
             <module-option name="rolesCtxDN"></module-option>
             <module-option name="uidAttributeID">member</module-option>
             <module-option name="matchOnUserDN">true</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="searchTimeLimit">5000</module-option>
             <!-- searchScope ONELEVEL_SCOPE is neccesary for Domino -->
             <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
            
             </login-module>
             </authentication>
             </application-policy>
            


            If your user will see no roles this will be an isue of the names.nsf acl. If "normal" users are not allowed to read in the name.nsf (this is typical for Domino installations) you need additional params to make the lookups with an admin account:

            <!-- Principal und Credentials for ldap lookups -->
             <module-option name="java.naming.security.principal">cn=admin,o=MYORG</module-option>
             <module-option name="java.naming.security.credentials">password</module-option>


            I hope this will be helpfull

            Ralph