3 Replies Latest reply on Oct 4, 2006 8:11 AM by jaikiran pai

    LdapLoginModule and role attribute not retrieved

    Lorenzo Pasquinelli Newbie

      Hi all,

      It's about 2 days that i'm not able to resolve this problem. I'm trying to configure jboss to work with a webapplication that actually run under tomcat 5.5, but i'm not able to to configure LdapLoginModule.
      The page that should appear after login is in a protected area associated with a role "Cataloguer". This role is associated in LDAP tree, as an attribute of each users as value of field initials.

      When I try to login I receive an error 403 as the user isn't in the correct role.

      I trace in a public jsp request.getUserPrincipal().getName() and request.isUserInRole("Cataloguer"), and I call this page after my login. I see that the user Principal is correct but the condition isUserInRole return false.

      I activate trace information in log4j.xml for category "org.jboss.security.auth.spi" and this is the output .

      2006-08-28 23:37:04,015 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added ldap-pdil, org.jboss.security.plugins.SecurityDomainContext@bc448b to map
      2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@30675222
      2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
      2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=Cataloguer_1,ou=people,dc=mycompany,dc=com, roleAttributeID=initials, matchOnUserDN=false, principalDNSuffix=,ou=people,dc=soloreti,dc=net, allowEmptyPasswords=false, java.naming.provider.url=ldap://localhost:389/, roleAttributeIsDN=false, java.naming.security.authentication=simple, java.naming.security.credentials=***}
      2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@1ff83
      2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=Manager,dc=mycompany,dc=com2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'Cataloguer_1' authenticated, loginOk=true
      2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true


      My application define 4 private area, each of them are associated to a role; in my LDAP role information is the attribute "initials" of the user.

      I configure an application policy under login-config.xml

      <application-policy name="ldap-pdil">

      <!--<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">-->
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">-->
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="java.naming.security.principal">cn=Manager,dc=mycompany,dc=com/module-option>
      <module-option name="java.naming.security.credentials">secret</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">initials</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      </login-module>

      </application-policy>


      and i referenced it in my login module

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>ldap-pdil</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/errors/loginFailedError.jsp</form-error-page>
      </form-login-config>
      </login-config>


      I think that i don't configure correctly these module option "matchOnUserDN", "roleAttributeID", "roleAttributeIsDN" : I try different value but the result is the same!

      Some one can help me?

      Why the user successfully login, but no role information are available?