My understanding of ldap is kinda limited but I think that you are asking to authenticate all your users under ou=people but that you want to assign permissions only to the CLINICS group.
If you want to only authenticate people in the clinics group you need a query that will only return those people. I'm not sure how to construct such an ldap query. hope this makes sense david jencks On Apr 3, 2013, at 2:10 PM, VPCL <vetpu...@hotmail.com> wrote: > Hi: > > I'm currently using Geronimo 2.2 and OpenLDAP: slapd 2.3.43. > > I’m trying to create an LDAP Security Realm on the Geronimo server that will > query my OpenLDAP server. For the most part, it works. However, the realm > cannot seem to differentiate between the two different groups on the LDAP > server. Resulting in any member being authenticated no matter which group > they belong to, which is not what I want. I’m only trying to authenticate > users if they are members of the 'CLINICS' group. > > Here’s how my LDAP is setup: > > dc=mydomain,dc=on,dc=ca (objectClass=dcObject, organization) > ou=groups (objectClass=organizationalUnit) > cn=ADMIN (objectClass=groupOfUniqueNames) > cn=CLINICS (objectClass=groupOfUniqueNames) > uid=User1,ou=people,dc=mydomain,dc=on,dc=ca > uid=User2,ou=people,dc=mydomain,dc=on,dc=ca > uid=User3,ou=people,dc=mydomain,dc=on,dc=ca > cn=SUPPLIERS (objectClass=groupOfUniqueNames) > uid=Supplier1,ou=people,dc=mydomain,dc=on,dc=ca > uid=Supplier2,ou=people,dc=mydomain,dc=on,dc=ca > ou=people (objectClass=organizationalUnit) > uid=User1 (objectClass=inetOrgPerson) > uid=User2 (objectClass=inetOrgPerson) > uid=User3 (objectClass=inetOrgPerson) > uid=Supplier1 (objectClass=inetOrgPerson) > uid=Supplier1 (objectClass=inetOrgPerson) > > On the Geronimo Side, here is how I set up my realm: > > Initial Context Factory: com.sun.jndi.ldap.LdapCtxFactory > Connection URL: ldap://localhost:389 > Connect Username: cn=someuser,dc=mydomain,dc=on,dc=ca > Connect Password: secret > Confirm Password: secret > Connect Protocol: > Authentication: simple > User Base: ou=people,dc=mydomain,dc=on,dc=ca > User Search Matching: uid={0} > User Search Subtree: false > Role Base: cn=CLINICS,ou=groups,dc=vpcl,dc=on,dc=ca > Role Name: cn > Role User Search String: uid={0} > Role Search Subtree: false > User Role Search String: memberOf={0} > > > I’ve tried replacing the ‘User Search Matching’ and or the ‘Role User Search > String’ with stuff like: > > (&(uid={0})(cn=CLINICS,ou=groups,dc=mydomain,dc=on,dc=ca)(attr=uniqueMember)) > > But it’s just not working out. > > On a side note: I do have Apache directives using this LDAP database as well > as some PHP Applications. I just don’t know why I can’t get Geronimo to work > with it. > > Any help would be appreciated. > > Thanks... > > Fred > > > > > -- > View this message in context: > http://apache-geronimo.328035.n3.nabble.com/Geronimo-OpenLDAP-not-quite-right-tp3986519.html > Sent from the Users mailing list archive at Nabble.com.