1 Reply Latest reply on Apr 3, 2006 1:25 PM by Richard Schuller

    EJB3 OpenLDAP LdapLoginModule role validation failure

    Richard Schuller Newbie

      EJB3 Code:

      @Stateless
      @SecurityDomain ("test")
      @RolesAllowed("Allora-User")
      public class EJBOps implements EJBOpsRemote {...}

      If I do not specify the RolesAllowed, a remote client gets authenticated OK and is able to call the EJB.
      With the RolesAllowed in, I get Insufficient permissions, principal=test1, requiredRoles=[Allora-User], principalRoles=[]
      Not sure why the principalRoles is empty.



      login-config.xml
      <application-policy name="test">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="user.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
      <module-option name="group.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
      <module-option name="java.naming.provider.url">ldap://padymelon:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">uid=</module-option>
      <module-option name="principalDNSuffix">,ou=People,dc=padymelon,dc=abc,dc=com</module-option>
      <module-option name="rolesCtxDN">ou=Group,dc=padymelon,dc=abc,dc=com</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleNameAttributeID">name</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="searchTimeLimit">5000</module-option>
      </login-module>

      </application-policy>



      OpenLDAP Schema:

      # LDIF Export for: dc=padymelon,dc=abc,dc=com
      # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on March 31, 2006 3:00 pm
      # Server: Padymelon (localhost)
      # Search Scope: sub
      # Search Filter: (objectClass=*)
      # Total Entries: 8

      dn: dc=padymelon,dc=abc,dc=com
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      o: abc
      dc: padymelon

      dn: cn=admin,dc=padymelon,dc=abc,dc=com
      objectClass: simpleSecurityObject
      objectClass: organizationalRole
      cn: admin
      description: LDAP administrator
      userPassword: {crypt}1VzCGZDqLJ9gk

      dn: ou=Group,dc=padymelon,dc=abc,dc=com
      ou: Group
      objectClass: top
      objectClass: organizationalUnit

      dn: cn=Allora-Eng,ou=Group,dc=padymelon,dc=abc,dc=com
      cn: Allora-Eng
      gidNumber: 1001
      memberUid: test2
      objectClass: posixGroup
      objectClass: top

      dn: cn=Allora-User,ou=Group,dc=padymelon,dc=abc,dc=com
      gidNumber: 1000
      memberUid: test1
      memberUid: test2
      objectClass: posixGroup
      objectClass: top
      cn: Allora-User

      dn: ou=People,dc=padymelon,dc=abc,dc=com
      ou: People
      objectClass: top
      objectClass: organizationalUnit

      dn: uid=test1,ou=People,dc=padymelon,dc=abc,dc=com
      userPassword: {SMD5}CTQgwdPkl7p42Jt3mjbJ2WZqynM=
      loginShell: /bin/false
      uidNumber: 1050
      gidNumber: 1010
      objectClass: posixAccount
      objectClass: shadowAccount
      objectClass: account
      uid: test1
      gecos: testuser1
      shadowLastChange: 13090
      cn: testuser1
      homeDirectory: /home/test1

      dn: uid=test2,ou=People,dc=padymelon,dc=abc,dc=com
      userPassword: {SMD5}HgYFdQN7wkkNxIfSmSwUtCGb2so=
      loginShell: /bin/false
      uidNumber: 1051
      gidNumber: 1010
      objectClass: posixAccount
      objectClass: shadowAccount
      objectClass: account
      uid: test2
      gecos: testuser2
      shadowLastChange: 13090
      cn: testuser2
      homeDirectory: /home/test2

        • 1. Re: EJB3 OpenLDAP LdapLoginModule role validation failure
          Richard Schuller Newbie

          There is a copy-paste error in the login-config.xml

          b4:
          <module-option name="group.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>

          actual:
          <module-option name="group.provider.url">ldap://padymelon/ou=Group,dc=padymelon,dc=abc,dc=com</module-option>

          I have also wrote a custom login module, to see what the values of the principals are and now they come back as null. In the commit method of the LoginModule I am adding the roles to the principals, but for some reason they are not making it into jboss.

          Ideas?