Hello, I have a following problem with jSecurity, ActiveDirectoryRealm and Groups mappings.
I have an AD setup on one server (WHEEL) with a simple user called user1. This user is in ldap group called "login" (CN=login,OU=Groups,DC=WHEEL). Next I'm trying to login and retrieve roles for this user. Login works fine but when it comes to user roles I have to additionally provide username and password in activeDirectoryRealm.setSystemUsername/Password. I've found in the API that it is a pretty normal behaviour (but IMHO very inconvenient) (http://www.jsecurity.org/releases/0.9.0-beta2/docs/api/org/jsecurity/realm/ldap/DefaultLdapContextFactory.html#setSystemUsername(java.lang.String): <cite> systemUsername - the username to use when logging into the LDAP server for authorization. </cite> Is there any tricky way to bypass this? Setting same credentials on two objects to authorize and authenticate one user seems to be quite wrong. I've managed to obtain this by creating a super user (with enterprise administrator rights) that has hardcoded username and password in application (systemUsername and systemPassword) and this works for authenticating other users but I'd like to avoid using such powerfull user just for groups fetching as it seems to be an huge overkill for me. Here is a class I'm using to test with AD: import java.util.HashMap; import java.util.Map; import org.jsecurity.authc.UsernamePasswordToken; import org.jsecurity.mgt.DefaultSecurityManager; import org.jsecurity.realm.activedirectory.ActiveDirectoryRealm; import org.jsecurity.subject.Subject; public class TestJSec { private DefaultSecurityManager securityManager = new DefaultSecurityManager(); private ActiveDirectoryRealm activeDirectoryRealm = new ActiveDirectoryRealm(); public TestJSec() { activeDirectoryRealm.setSearchBase("DC=WHEEL"); activeDirectoryRealm.setUrl("ldap://ldap-host:389";); activeDirectoryRealm.setSystemUsername("us...@wheel"); // if this is missing user wont fetch his roles activeDirectoryRealm.setSystemPassword("user1"); // if this is missing user wont fetch his roles Map<String, String> map = new HashMap<String, String>(); map.put("CN=login,OU=Groups,DC=WHEEL", "login"); activeDirectoryRealm.setGroupRolesMap(map); securityManager.setRealm(activeDirectoryRealm); } private void testLogin() { UsernamePasswordToken userToken = new UsernamePasswordToken("us...@wheel", "user1"); Subject subject = securityManager.login(userToken); if (subject.hasRole("login")) { System.out.println("User in role"); } else { System.out.println("User has no role"); } } public static void main(String[] args) { TestJSec tjs = new TestJSec(); tjs.testLogin(); } } For example in jBoss this config works without a super user: <application-policy name="DLG_REGW_POLICY"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://ldap-host:389/</module-option> <module-option name="rolesCtxDN">OU=Groups,DC=WHEEL</module-option> <module-option name="matchOnUserDN">false</module-option> <module-option name="uidAttributeID">sAMAccountName</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="searchTimeLimit">5000</module-option> <module-option name="allowEmptyPasswords">false</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> </login-module> </authentication> </application-policy> -- View this message in context: http://n2.nabble.com/Reading-user-roles-from-Active-Directory-tp2503002p2503002.html Sent from the JSecurity User mailing list archive at Nabble.com.
