[jboss-user] [Security & JAAS/JBoss] - LdapLoginModule and role attribute not retrieved

l.pasquinelli do-not-reply at jboss.com
Mon Aug 28 18:15:59 EDT 2006 

Hi all,

It's about 2 days that i'm not able to resolve this problem. I'm trying to configure jboss to work with a webapplication that actually run under tomcat 5.5, but i'm not able to to configure LdapLoginModule.
The page that should appear after login is in a protected area associated with a role "Cataloguer". This role is associated in LDAP tree, as an attribute of each users as value of field initials.

 When I try to login I receive an error 403 as the user isn't in the correct role. 

I trace in a public jsp request.getUserPrincipal().getName() and request.isUserInRole("Cataloguer"), and I call this page after my login. I see that the user Principal is correct but the condition isUserInRole return false.

I activate trace information in log4j.xml for category "org.jboss.security.auth.spi" and this is the output .

2006-08-28 23:37:04,015 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added ldap-pdil, org.jboss.security.plugins.SecurityDomainContext at bc448b to map
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@30675222
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=Cataloguer_1,ou=people,dc=mycompany,dc=com, roleAttributeID=initials, matchOnUserDN=false, principalDNSuffix=,ou=people,dc=soloreti,dc=net, allowEmptyPasswords=false, java.naming.provider.url=ldap://localhost:389/, roleAttributeIsDN=false, java.naming.security.authentication=simple, java.naming.security.credentials=***}
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext at 1ff83
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=Manager,dc=mycompany,dc=com2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'Cataloguer_1' authenticated, loginOk=true
2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true


My application define 4 private area, each of them are associated to a role; in my LDAP role information is the attribute "initials" of the user.

I configure an application policy under login-config.xml 

	<application-policy name="ldap-pdil">
		
            <!--<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">-->
            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">-->
                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="java.naming.security.principal">cn=Manager,dc=mycompany,dc=com/module-option>
                <module-option name="java.naming.security.credentials">secret</module-option>
                <module-option name="principalDNPrefix">cn=</module-option>                    
                <module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option>
                <module-option name="matchOnUserDN">true</module-option>
                <module-option name="roleAttributeID">initials</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
                <module-option name="allowEmptyPasswords">false</module-option>
            </login-module>
        
    </application-policy>


and i referenced it in my login module

    <login-config>
        <auth-method>FORM</auth-method>
	<realm-name>ldap-pdil</realm-name>
	<form-login-config>
	    <form-login-page>/login.jsp</form-login-page>
           <form-error-page>/errors/loginFailedError.jsp</form-error-page>
	</form-login-config>
    </login-config>


I think that i don't configure correctly these module option "matchOnUserDN", "roleAttributeID", "roleAttributeIsDN"  : I try different  value but the result is the same!

Some one can help me?

Why the user successfully login, but no role information are available?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967944#3967944

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3967944

More information about the jboss-user mailing list