0 Replies Latest reply on Oct 19, 2009 8:54 AM by muzzol oliba

    ldap filter to restrict one cn

    muzzol oliba Newbie

      hi,

      i configured an application policy and i want to allow only users from group

      cn=portalrrhh,ou=Groups,dc=example.com,dc=global

      this is the test i did with jmx-console:

      <application-policy name="jmx-console">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://example.com:389</module-option>
      <module-option name="baseCtxDN">ou=Users,dc=example.com,dc=global</module-option>
      <module-option name="baseFilter">(uid={0})</module-option>
      <module-option name="rolesCtxDN">cn=portalrrhh,ou=Groups,dc=example.com,dc=global</module-option>
      <module-option name="roleFilter">(memberUid={0})</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleRecursion">0</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      </login-module>
      </authentication>
      </application-policy>
      



      i can login with any valid ldap user, not just that ones belonging to group portalrrhh, so seems to ignore the scope.

      anyone have a working example?

      i dont mind if it is with org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule