I have to authenticate and authorize users against the following LDAP schema:
| o=myCorp,c=DE --- | | | ---> ou=Users,... --- | | | ---> uid=joedev... | uid: uid=joedev,ou=Users,... | realName: Joe Develop | memberOf: role1 | memberOf: role2 | userPassword: xZ...jk= | What makes this different from the example configuration to be found in AdminDevel_323.pdf - which I have been studying inside out - is that a user's roles are stored in the same node as the user himself. My realm definition thus far is | <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required"> | <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> | <module-option name = "java.naming.security.authentication">simple</module-option> | <module-option name = "java.naming.provider.url">ldap://localhost:389/</module-option> | <module-option name = "principalDNPrefix">uid=</module-option> | <module-option name = "principalDNSuffix">,ou=Users,o=myCorp,c=DE</module-option> | <module-option name = "uidAttributeID">uid</module-option> | <module-option name = "matchOnUserDN">false</module-option> | <module-option name = "allowEmptyPasswords">false</module-option> | <module-option name = "hashAlgorithm">SHA-1</module-option> | <module-option name = "hashCharset">UTF-8</module-option> | <module-option name = "hashEncoding">base64</module-option> | <module-option name = "rolesCtxDN">ou=Users,o=myCorp,c=DE</module-option> | <module-option name = "roleAttributeID">memberOf</module-option> | </login-module> | Using this config under JBoss 3.2.1 I succeeded in authenticating user joedev, but failed to assert his roles role1, role2, ... . I have been studying the source code for LdapLoginModule and have tracing for org.jboss.security enabled, so I know that my module-options are passed in as intended. Still JBoss fails to find the roles stored in the memberOf attribute. Any help would be greatly appreciated. On a different note: studying the LdapLoginModule source I notice that for the roles search to succeed at all the value of the uidAttributeId attribute (uid) must be the authenticated user's full DN (principalDNPrefix + joedev + principalDNSuffix), NOT just his username (joedev) as I would have expected. Is this behaviour intended? Regards, Olaf Bergner View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3846406#3846406 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3846406 ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user