[jboss-user] [Security & JAAS/JBoss] - JAAS/LDAP Roles configuration pulls superset instead of filt

[sarahm]

I am having a strange error with what should be a simple configuration.  I am able to authenticate off LDAP, but the role list received is not the one I expect.

I have the following config (with my actual domain, etc):

login-config.xml

  |    <application-policy name="testLDAP">
  |         <authentication>
  |             <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
  |                           flag="required">
  |                 <module-option name="java.naming.factory.initial"> 
  |                     com.sun.jndi.ldap.LdapCtxFactory
  |                 </module-option> 
  |                 <module-option name="java.naming.provider.url">
  |                     ldap://ldap.mydomain.com/
  |                 </module-option>
  |                 <module-option name="java.naming.security.authentication">
  |                     simple
  |                 </module-option>
  |                 <module-option name="principalDNPrefix">uid=</module-option>                    
  |                 <module-option name="principalDNSuffix">
  |                     ,ou=People,dc=mydomain,dc=com
  |                 </module-option>
  |                 <module-option name="rolesCtxDN">
  |                     ou=Groups,dc=mydomain,dc=com
  |                 </module-option>
  |                 <module-option name="uidAttributeID">memberUid</module-option>
  |                 <module-option name="matchOnUserDN">false</module-option>
  |                 <module-option name="roleAttributeID">cn</module-option>
  |                 <module-option name="roleAttributeIsDN">false</module-option>
  |                 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
  |             </login-module>
  |         </authentication>
  |     </application-policy>

Example LDAP User:
dn: uid=sarahm,ou=People,dc=mydomain,dc=com
  | objectClass: posixAccount
  | objectClass: shadowAccount
  | objectClass: inetOrgPerson
  | objectClass: sambaSamAccount
  | uid: sarahm
  | uidNumber: 1040
  | gidNumber: 6000

Example LDAP Group:
dn: cn=it,ou=Groups,dc=mydomain,dc=com
  | cn: it
  | displayName: it
  | sambaGroupType: 2
  | objectClass: top
  | objectClass: posixGroup
  | objectClass: sambaGroupMapping
  | gidNumber: 6008
  | memberUid: sarahm
  | memberUid: user1
  | memberUid: user2

With this configuration, I expect only the groups for the current user to be used as roles.  However, in both JSP (request.isUserInGroup) and the auth-constraint roles in web.xml all of my checks for roles will resolve to true if I have a corresponding group, even if the user is not in the group.  For instance, request.isUserInGroup("accounting") is true for any user as the accounting group exists in LDAP.

It seems for some reason roles are not being filtered properly by user.

Any suggestions would be appreciated.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977631#3977631

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977631