trying to be clearer the doc chapter 220.127.116.11 says:
It's often the case that a local LDAP server provides identity and authentication services but is unable to use the authorization services. This is because application roles don't always map well onto LDAP groups, and LDAP administrators are often hesitant to allow external application-specific data in central LDAP servers. For this reason, the LDAP authentication module is often paired with another login module, such as the database login module, that can provide roles more suitable to the application being developed.
but chapter 18.104.22.168 says about the databaseLoginModule:
You would use this login module if you have your username, password and role information relational database
How can I use the databaseLoginModule just to retrieve role or what module should I use to do so? I don't have the password in the database.
thanks in advance for help, link or anything usefull.
I'm not an expert but, I think you have to write your own custom loginmodule and after you have authenticated with LDAP call the database for the roles with the user id.
I came across the same documentation and it sounds like these modules could be chained togeter to achive this functionality. So far I have not been successful in getting this to work. I'd hate to write a custom LoginModule out of ignorance of what is already in place. It seems like there would be a standard solution/best practice for this usecase.
From what I've found, as long as the username/password are the same in both LDAP and the DB, you are fine. If they don't match, you are out of luck. Is there a way, short of hacking the source code, to get the DatabaseServerLoginModule to ignore the password/principalsQuery and just add the roles that match the userID previously authenticated by LDAP? Or is what I'm asking dangerous and not supported?