Hi,
I've used the LdapLoginModule in previous versions of JBoss and it seemed to
work fine.
I've just tried using it with multiple roles and found very weird behaviour.
It would tell me that every user was in every role. With the example schema
below, it would tell me that user1 is in roles `myldap-ipc', `myldap' and
`myldap-admin', when he is only listed as part of `myldap'. I feel that the
problem is caused by LdapLoginModule not correctly creating the filter to send
to the LDAP server.
I have created MyLdapLoginModule.java with a modified roleFilter and it works
the way I would expect:
String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
if (uidAttrName == null)
uidAttrName = "uid";
String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT);
if (roleAttrName == null)
roleAttrName = "roles";
StringBuffer roleFilter = new StringBuffer("(");
roleFilter.append(uidAttrName);
// This line commented by Daniel
//roleFilter.append("=*)");
//BasicAttributes matchAttrs = new BasicAttributes(true);
String userToMatch = username;
if (matchOnUserDN == true)
userToMatch = userDN;
// Added by Daniel
roleFilter.append("=").append(userToMatch).append(")");
Here is a sample of the login-config.xml I have been using:
<application-policy name="myldap-policy">
<!-- for users -->
<login-module code="org.jboss.security.auth.spi.MyLdapLoginModule"
flag="required">
<module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option
name="java.naming.provider.url">ldap://localhost:389/</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option
name="principalDNSuffix">,ou=Webusers,dc=mydomain,dc=net</module-option>
<module-option
name="rolesCtxDN">ou=Roles,dc=mydomain,dc=net</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</application-policy>
Here is an example of my schema (filtered with sed to remove my domain and
application name):
# extended LDIF
#
# LDAPv3
# base <ou=Roles,dc=mydomain,dc=net> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# Roles, mydomain.net
dn: ou=Roles,dc=mydomain,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Roles
# myldap-ipc, Roles, mydomain.net
dn: cn=myldap-ipc,ou=Roles,dc=mydomain,dc=net
objectClass: top
objectClass: groupOfNames
description: blah
member: uid=ipc-user,ou=Webusers,dc=mydomain,dc=net
cn: myldap-ipc
# myldap-admin, Roles, mydomain.net
dn: cn=myldap-admin,ou=Roles,dc=mydomain,dc=net
description: myldap users
objectClass: top
objectClass: groupOfNames
cn: myldap-admin
member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net
# myldap, Roles, mydomain.net
dn: cn=myldap,ou=Roles,dc=mydomain,dc=net
description: Users of myldap logger
objectClass: top
objectClass: groupOfNames
member: uid=dpocock,ou=Webusers,dc=mydomain,dc=net
member: uid=user1,ou=Webusers,dc=mydomain,dc=net
cn: myldap
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Regards,
Daniel
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3908057#3908057
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3908057
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
