3 Replies Latest reply on Sep 19, 2006 6:29 PM by Scott Stark

    new LDAP Login Module

    Ralph Soika Apprentice


      I have developed a new LDAP Login Module with a comparable functionality like the org.jboss.security.SimpleGroup.LdapLoginModule.
      The org.jboss.security.SimpleGroup.LdapLoginModule did a good job but when I tried to configure my IBM Lotus Domino Server with this Modul I run into some problems.
      The first was that I could not configure that the user authenticates with an UserID but the CallerPricipal should be the destinguished name of the user. This is needed if you implementing an application with business logic that needs the "real" name of the user and not the login name when calling getCallerPrincipal(). Maybe this is a special functionality of IBM Lotus Domino LDAP that you can login with different names (?).
      The second problem was that the LdapLoginModul only returns Roles (Groups) where the user is member but not Groups which are encapsulated. E.g. User is member of "Group A" and "Group A" is member of "Group B". So you got only the "Group A" in the Roles Set but not "Group B".

      I implemented the new Login Modul org.imixs.jboss.security.LdapLoginModuleExt.
      This Class addresses this two issues and works perfectly with the Lotus Domino LDAP Directory. I think this Modul can be an alternative to the org.jboss.security.auth.spi.LdapLoginModule.

      I documented the Code at:

      and posted the source code also at:

      There are some ishues I could not implement (like the decode Function) which is protected in the org.jboss.security.auth.spi package.
      Let me know if this Login module is of interest for you.


        • 1. Re: new LDAP Login Module
          Scott Stark Master

          The first test will be how different this is from the existing org.jboss.security.auth.spi.LdapExtLoginModule.

          • 2. Re: new LDAP Login Module
            Ralph Soika Apprentice

            Hi scott,

            I did not seen the org.jboss.security.auth.spi.LdapExtLoginModule before - so I did a lot of work twice ;-)
            but ok. I updated my code a little bit so it uses now the smarter search filter param like used in the org.jboss.security.auth.spi.LdapExtLoginModule.

            I think the main different is now the method searchDistinguishedName() and the fact that the distinguished name found will replace the CallerPrincipal.
            Also the Distinguished name is translated into a composite name.
            So for example: users login with "x007" -> DN of the UserObeject is "James Bond,OU=Secret Service" -> Composite name is "James Bond/OU=Secret Service".

            Maybe this is an insignificant detail but in our workflow project (www.imixs.org) we are constrained to work with composite names.

            I tried now also the org.jboss.security.auth.spi.LdapExtLoginModule to configure my Lotus Domino Server - but have no success.

            I think it is not a recommendable way to overload the org.jboss.security.auth.spi.LdapExtLoginModule or org.jboss.security.auth.spi.LdapLoginModule with more params so things like the replacement of the caller pricipal or the translation into a composite DN will be configurable. This modules did work ok. Maybe JBoss will offer more specialized LDAP Login Modules for different servers like my one for Lotus Domino?

            kind regards

            • 3. Re: new LDAP Login Module
              Scott Stark Master

              Post the ldif of the domino server that is relevant for the authentication and roles queries.

              Where is the composite name used?