Hi, I've used the LdapLoginModule in previous versions of JBoss and it seemed to work fine.
I've just tried using it with multiple roles and found very weird behaviour. It would tell me that every user was in every role. With the example schema below, it would tell me that user1 is in roles `myldap-ipc', `myldap' and `myldap-admin', when he is only listed as part of `myldap'. I feel that the problem is caused by LdapLoginModule not correctly creating the filter to send to the LDAP server. I have created MyLdapLoginModule.java with a modified roleFilter and it works the way I would expect: String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT); if (uidAttrName == null) uidAttrName = "uid"; String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT); if (roleAttrName == null) roleAttrName = "roles"; StringBuffer roleFilter = new StringBuffer("("); roleFilter.append(uidAttrName); // This line commented by Daniel //roleFilter.append("=*)"); //BasicAttributes matchAttrs = new BasicAttributes(true); String userToMatch = username; if (matchOnUserDN == true) userToMatch = userDN; // Added by Daniel roleFilter.append("=").append(userToMatch).append(")"); Here is a sample of the login-config.xml I have been using: <application-policy name="myldap-policy"> <!-- for users --> <login-module code="org.jboss.security.auth.spi.MyLdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=Webusers,dc=mydomain,dc=net</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=mydomain,dc=net</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module> </application-policy> Here is an example of my schema (filtered with sed to remove my domain and application name): # extended LDIF # # LDAPv3 # base <ou=Roles,dc=mydomain,dc=net> with scope sub # filter: (objectclass=*) # requesting: ALL # # Roles, mydomain.net dn: ou=Roles,dc=mydomain,dc=net objectClass: top objectClass: organizationalUnit ou: Roles # myldap-ipc, Roles, mydomain.net dn: cn=myldap-ipc,ou=Roles,dc=mydomain,dc=net objectClass: top objectClass: groupOfNames description: blah member: uid=ipc-user,ou=Webusers,dc=mydomain,dc=net cn: myldap-ipc # myldap-admin, Roles, mydomain.net dn: cn=myldap-admin,ou=Roles,dc=mydomain,dc=net description: myldap users objectClass: top objectClass: groupOfNames cn: myldap-admin member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net # myldap, Roles, mydomain.net dn: cn=myldap,ou=Roles,dc=mydomain,dc=net description: Users of myldap logger objectClass: top objectClass: groupOfNames member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net member: uid=user1,ou=Webusers,dc=mydomain,dc=net cn: myldap # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4 Regards, Daniel View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3908057#3908057 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3908057 ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user