[jboss-user] [JBoss Portal] - LDAP Authentication & Authorization to eDirectory
arnieAustin
do-not-reply at jboss.com
Tue May 22 14:12:09 EDT 2007
I am working with the jboss-portal-2.6-CR2 bundle. After getting it configured for MySQL and logging in as 'admin', I reconfigured it for LDAP using the LDAPExtUser/RoleModuleImpl classes. We are using Novell eDirectory setup in an Identity Vault configuration (nearly flat directory with different ou's for users and groups). Anyway, so far so good. I can log in. Well, actually Admin can login. I cannot. Keep getting "Your account is disabled." message on the login screen. Which is WRONG since my account is neither disabled nor locked in LDAP. My guess is this misleading message has something to do with Authorization.
Our LDAP structure:
| o=idv
| ou=groups,o=idv
| ou=apps,ou=groups,o=idv
| ou=jbossportal,ou=apps,ou=groups,o=idv
| cn=Administrators,ou=jbossportal,ou=apps,ou=groups,o=idv
| cn=Users,ou=jbossportal,ou=apps,ou=groups,o=idv
|
| ou=people,o=idv
| ou=apps,ou=people,o=idv
| cn=admin,ou=apps,ou=people,o=idv
| ou=employees,ou=people,o=idv
| ou=al,ou=employees,ou=people,o=idv
| cn=acm3,ou=al,ou=employees,ou=people,o=idv
|
Note that the admin I am using to authenticate is in a different container in the tree. My account (acm3) is where most employees would be.
The two groups mentioned have various users in them. In the Administrators case, Admin and ACM3 are both members. Yet when Admin logs in, the "Admin" link doesn't appear in the portal window. And ACM3 cannot log in at all.
What could I be missing here? There were no messages on the console log or in server.log that something was wrong.
I've included the ldap_identity-config.xml below:
| <identity-configuration>
| <datasources>
| <datasource>
| <name>LDAP</name>
| <config>
| <option>
| <name>host</name>
| <value>idv1-lab.oag.state.tx.us</value>
| </option>
| <option>
| <name>port</name>
| <value>389</value>
| </option>
| <option>
| <name>adminDN</name>
| <value>cn=portalsystem,ou=apps,ou=people,o=idv</value>
| </option>
| <option>
| <name>adminPassword</name>
| <value>password</value>
| </option>
| <!--<option>
| <name>protocol</name>
| <value>ssl</value>
| </option>-->
| </config>
| </datasource>
| </datasources>
| <modules>
| <module>
| <!--type used to correctly map in IdentityContext registry-->
| <type>User</type>
| <implementation>LDAP</implementation>
| <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
| <config/>
| </module>
| <module>
| <type>Role</type>
| <implementation>LDAP</implementation>
| <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
| <config/>
| </module>
| <module>
| <type>Membership</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| <module>
| <type>UserProfile</type>
| <implementation>DELEGATING</implementation>
| <config>
| <option>
| <name>ldapModuleJNDIName</name>
| <value>java:/portal/LDAPUserProfileModule</value>
| </option>
| </config>
| </module>
| <module>
| <type>DBDelegateUserProfile</type>
| <implementation>DB</implementation>
| <config>
| <option>
| <name>randomSynchronizePassword</name>
| <value>true</value>
| </option>
| </config>
| </module>
| <module>
| <type>LDAPDelegateUserProfile</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| </modules>
|
| <options>
| <option-group>
| <group-name>common</group-name>
| <option>
| <name>userCtxDN</name>
| <value>ou=PEOPLE,o=IDV</value>
| </option>
| <option>
| <name>roleCtxDN</name>
| <value>ou=GROUPS,o=IDV</value>
| </option>
| <option>
| <name>userSearchFilter</name>
| <value>(cn={0})</value>
| </option>
| <option>
| <name>roleSearchFilter</name>
| <value>(cn={0})</value>
| </option>
| <option>
| <name>uidAttributeID</name>
| <value>cn</value>
| </option>
| <option>
| <name>passwordAttributeID</name>
| <value>password</value>
| </option>
| <option>
| <name>membershipAttributeId</name>
| <value>member</value>
| </option>
| <option>
| <name>membershipAttributeIsDN</name>
| <value>true</value>
| </option>
| </option-group>
| <option-group>
| <group-name>userCreateAttibutes</group-name>
| <option>
| <name>objectClass</name>
| <!--This objectclasses should work with Red Hat Directory-->
| <value>top</value>
| <value>person</value>
| <value>inetOrgPerson</value>
| </option>
| <!--Schema requires those to have initial value-->
| <option>
| <name>cn</name>
| <value>none</value>
| </option>
| <option>
| <name>sn</name>
| <value>none</value>
| </option>
| </option-group>
| <option-group>
| <group-name>roleCreateAttibutes</group-name>
| <!--Schema requires those to have initial value-->
| <option>
| <name>cn</name>
| <value>none</value>
| </option>
| <!--Some directory servers require this attribute to be valid DN-->
| <!--For safety reasons point to the admin user here-->
| <option>
| <name>member</name>
| <value>cn=portalsytem,ou=apps,ou=people,o=idv</value>
| </option>
| </option-group>
| </options>
| </identity-configuration>
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047666#4047666
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047666
More information about the jboss-user
mailing list