[jboss-user] [Security & JAAS/JBoss] - JAAS/LDAP Roles configuration pulls superset instead of filt
sarahm
do-not-reply at jboss.com
Wed Oct 11 13:24:49 EDT 2006
I am having a strange error with what should be a simple configuration. I am able to authenticate off LDAP, but the role list received is not the one I expect.
I have the following config (with my actual domain, etc):
login-config.xml
| <application-policy name="testLDAP">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
| flag="required">
| <module-option name="java.naming.factory.initial">
| com.sun.jndi.ldap.LdapCtxFactory
| </module-option>
| <module-option name="java.naming.provider.url">
| ldap://ldap.mydomain.com/
| </module-option>
| <module-option name="java.naming.security.authentication">
| simple
| </module-option>
| <module-option name="principalDNPrefix">uid=</module-option>
| <module-option name="principalDNSuffix">
| ,ou=People,dc=mydomain,dc=com
| </module-option>
| <module-option name="rolesCtxDN">
| ou=Groups,dc=mydomain,dc=com
| </module-option>
| <module-option name="uidAttributeID">memberUid</module-option>
| <module-option name="matchOnUserDN">false</module-option>
| <module-option name="roleAttributeID">cn</module-option>
| <module-option name="roleAttributeIsDN">false</module-option>
| <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
| </login-module>
| </authentication>
| </application-policy>
Example LDAP User:
dn: uid=sarahm,ou=People,dc=mydomain,dc=com
| objectClass: posixAccount
| objectClass: shadowAccount
| objectClass: inetOrgPerson
| objectClass: sambaSamAccount
| uid: sarahm
| uidNumber: 1040
| gidNumber: 6000
Example LDAP Group:
dn: cn=it,ou=Groups,dc=mydomain,dc=com
| cn: it
| displayName: it
| sambaGroupType: 2
| objectClass: top
| objectClass: posixGroup
| objectClass: sambaGroupMapping
| gidNumber: 6008
| memberUid: sarahm
| memberUid: user1
| memberUid: user2
With this configuration, I expect only the groups for the current user to be used as roles. However, in both JSP (request.isUserInGroup) and the auth-constraint roles in web.xml all of my checks for roles will resolve to true if I have a corresponding group, even if the user is not in the group. For instance, request.isUserInGroup("accounting") is true for any user as the accounting group exists in LDAP.
It seems for some reason roles are not being filtered properly by user.
Any suggestions would be appreciated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977631#3977631
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977631
More information about the jboss-user
mailing list