[jboss-user] [Security & JAAS/JBoss] - JBoss 4.0.5.GA LdapLoginModule - terminology confusion

matteg do-not-reply at jboss.com
Tue Sep 25 01:56:52 EDT 2007 

I have read section 8.5.3.5 LdapLoginModule in the Admin Guide at least twenty times.  I have managed to configure this module so that a userid is correctly recognised when attempting to access a protected we page.

I seem to be totally unable to correctly specify how a users role should be looked up by the login module.  I considered myself reasonably knowlegeable in LDAP concepts (up until now).

Using OpenLDAP as my ldap server, my LDAP server root is dc=saanich,dc=ca 
my users are stored within ou=People 
and my roles are stored within ou=Groups,ou=Webapp-Roles.
The objects in this context are objectClass=groupOfNames with cn=[role name] and users specified as a set of member=[userDN] attributes.

Because users are being authenticated accurately but access is being denied when it should be granted, I believe that I must be misinterpreting one of the role related configuration options below.

I suspect that someone will be able to point out a silly conceptual error somewhere below.  Is so, I will be humbly grateful.  Thanks in advance.

=======================
The login-config.xml is:
    <application-policy name="SaanichIntranet">
      
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
          <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
	  <module-option name="java.naming.provider.url">ldap://IT-Manager:389/</module-option>
	  <module-option name="java.naming.security.authentication">simple</module-option>
	  <module-option name="principalDNPrefix">cn=</module-option>
	  <module-option name="principalDNSuffix">,ou=People,dc=saanich,dc=ca</module-option>
	  <module-option name="uidAttributeID">cn</module-option>
	  <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option>
	  <module-option name="roleNameAttributeID">cn</module-option>
	  <module-option name="matchOnUserDN">true</module-option>
	  <module-option name="roleAttributeID">member</module-option>
          <module-option name="roleAttributeIsDN">true</module-option>
        </login-module>
      
    </application-policy>

=======================


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088267#4088267

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088267

More information about the jboss-user mailing list