0 Replies Latest reply on Mar 8, 2007 12:42 PM by Andrew Cheung

    LDAP authentication and role-based permission question (x-po

    Andrew Cheung Newbie

      Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows :

      HTTP Status 403 - Access to the requested resource has been denied


      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


      Here are the details:

      1. LDAP server (we use eDirectory) :

      Sample user :


      Sample Role :


      The member attribute will contain the users that are assigned to this role.
      For example :


      2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :



      also :

      <realm-name>JBoss Portal</realm-name>

      3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :

      <application-policy name="portal">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
      <module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>


      4. database table "jbp_users" in the portal database :

      The user abc is added to the jbp_users table. The jbp_uid is 11.

      Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server

      5. database table "jbp_roles" in the portal datatabase :

      The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7.

      6. database table "jbp_role_membership" in the portal database :

      The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table.

      Is any other configurations I need to do in order to make it work?

      Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions.

      Any help is appreciated.