Answering my own post here..... I now understand that the <sec:distingushed-name> element is meant to be used with X.509 client certificate support, and is not intended as an integration with a (back-end) LDAP realm.
These can co-exist, with the LDAP realm configuration being independent of any DN as presented via X.509 certificates. Sorry for the confusion. Thanks, John On Fri, May 24, 2013 at 1:47 PM, Field, John <jfi...@gopivotal.com> wrote: > Greetings, > > I have a Geronimo 3 deployment and I have configured my application to use > the LDAPLoginModule against Fortress (i.e. OpenLDAP). > > I have included a security role as part of the web.xml, and I've > successfully mapped that abstract role to LDAP groups using > > <principal name="myAbstractRoleName" > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/> > > in my geronimo-web.xml. > > However, the configuration option for a <distinguished-name> here does not > seem to work. > > Does anyone know i this is implemented in the runtime, or perhaps there is > something wrong in my configuration? > > Below is a simple geronimo-web.xml configuration that I've done against > one of the sample EJB applications to demonstrate the problem. > > TIA, > John > > > <?xml version="1.0" encoding="UTF-8"?> > <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0" > xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0"> > > <dep:environment xmlns:dep=" > http://geronimo.apache.org/xml/ns/deployment-1.2"> > <dep:moduleId> > <dep:artifactId>MyTimeWeb</dep:artifactId> > <dep:version>1.0</dep:version> > <dep:type>war</dep:type> > </dep:moduleId> > <dep:dependencies> > <dep:dependency> > <dep:groupId>console.realm</dep:groupId> > <dep:artifactId>FortressRealm</dep:artifactId> > <dep:version>1.0</dep:version> > <dep:type>car</dep:type> > </dep:dependency> > </dep:dependencies> > </dep:environment> > > <context-root>/mytime</context-root> > > <security-realm-name>FortressRealm</security-realm-name> > > <sec:security> > <sec:default-principal> > <sec:principal name="anonymous" > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" > /> > </sec:default-principal> > <sec:role-mappings> > <sec:role role-name="EnmasseSuperUserRole"> > > > <sec:principal name="EnmasseSuperUser" > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > /> > <sec:principal name="role1" > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > /> > > <!-- Support for this does not seem to be implemented: --> > <sec:distinguished-name > name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name> > <sec:distinguished-name > name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name> > <sec:distinguished-name > name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name> > > > <!-- This works, but is not my preferred approach. --> > <sec:principal name="johnfield" > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" > /> > > > </sec:role> > </sec:role-mappings> > </sec:security> > > > </web-app> > > -- John P. Field | Security Architect | Pivotal Direct: (908) 962-3394 | jfi...@gopivotal.com *[image: cid:332B1A9B-BFB1-42CC-8C13-5949BB4B8266]* *goPivotal.com <http://www.goPivotal.com>*
<<image001.png>>