[jboss-user] [JBoss Portal] - Re: LDAP and Active Directory

creative77 do-not-reply at jboss.com
Mon Oct 2 12:35:31 EDT 2006 

Wiki sez that the "rolesCtxDN" is the path to the users account and not the path to the actual group/role.

When I set this the servlet crashes with a account not found exception. However, when I change the path to the group path. It authenticates the user but can't find the user group/role.

I am confused.

As I have said the user accounts and groups are in different subtrees.

#################################################

This crashes the login servlet with account not found. Account are in the following container.


<module-option name="rolesCtxDN">ou=Adomain Users,ou=Adomain Resources,dc=adomain,dc=com</module-option>





        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
            <!--
                Some AD configurations may require searching against
                the Global Catalog on port 3268 instead of the usual
                port 389.  This is most likely when the AD forest
                includes multiple domains.
            -->
            <module-option name="java.naming.provider.url">ldap://adserver.adomain.com:389</module-option>
            <module-option name="bindDN">DomainUser</module-option>
            <module-option name="bindCredential">DomainPassword</module-option>
            <module-option name="baseCtxDN">dc=adomain,dc=com</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            
            <module-option name="rolesCtxDN">ou=Adomain Users,ou=Adomain Resources,dc=adomain,dc=com</module-option>
            <module-option name="roleFilter">(sAMAccountName={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>

            <module-option name="roleRecursion">-1</module-option>
            
            <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3975561#3975561

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3975561

More information about the jboss-user mailing list