[jboss-user] [Security] - ldap filter to restrict one cn

[muzzol]

hi,

i configured an application policy and i want to allow only users from group 

cn=portalrrhh,ou=Groups,dc=example.com,dc=global

this is the test i did with jmx-console:

<application-policy name="jmx-console">
  | <authentication>
  | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
  | <module-option name="java.naming.provider.url">ldap://example.com:389</module-option>
  | <module-option name="baseCtxDN">ou=Users,dc=example.com,dc=global</module-option>
  | <module-option name="baseFilter">(uid={0})</module-option>
  | <module-option name="rolesCtxDN">cn=portalrrhh,ou=Groups,dc=example.com,dc=global</module-option>
  | <module-option name="roleFilter">(memberUid={0})</module-option>
  | <module-option name="roleAttributeIsDN">false</module-option>
  | <module-option name="roleNameAttributeID">cn</module-option>
  | <module-option name="roleRecursion">0</module-option>
  | <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
  | </login-module>
  | </authentication>
  | </application-policy>
  | 


i can login with any valid ldap user, not just that ones belonging to group portalrrhh, so seems to ignore the scope.

anyone have a working example?

i dont mind if it is with org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule 

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261045#4261045

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4261045