[jboss-user] [Security & JAAS/JBoss] - JBoss 4.0.5.GA LdapLoginModule - terminology confusion
matteg
do-not-reply at jboss.com
Tue Sep 25 01:56:52 EDT 2007
I have read section 8.5.3.5 LdapLoginModule in the Admin Guide at least twenty times. I have managed to configure this module so that a userid is correctly recognised when attempting to access a protected we page.
I seem to be totally unable to correctly specify how a users role should be looked up by the login module. I considered myself reasonably knowlegeable in LDAP concepts (up until now).
Using OpenLDAP as my ldap server, my LDAP server root is dc=saanich,dc=ca
my users are stored within ou=People
and my roles are stored within ou=Groups,ou=Webapp-Roles.
The objects in this context are objectClass=groupOfNames with cn=[role name] and users specified as a set of member=[userDN] attributes.
Because users are being authenticated accurately but access is being denied when it should be granted, I believe that I must be misinterpreting one of the role related configuration options below.
I suspect that someone will be able to point out a silly conceptual error somewhere below. Is so, I will be humbly grateful. Thanks in advance.
=======================
The login-config.xml is:
<application-policy name="SaanichIntranet">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://IT-Manager:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,ou=People,dc=saanich,dc=ca</module-option>
<module-option name="uidAttributeID">cn</module-option>
<module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">member</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
</login-module>
</application-policy>
=======================
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088267#4088267
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088267
More information about the jboss-user
mailing list