I am working with the jboss-portal-2.6-CR2 bundle. After getting it configured
for MySQL and logging in as 'admin', I reconfigured it for LDAP using the
LDAPExtUser/RoleModuleImpl classes. We are using Novell eDirectory setup in an
Identity Vault configuration (nearly flat directory with different ou's for
users and groups). Anyway, so far so good. I can log in. Well, actually Admin
can login. I cannot. Keep getting "Your account is disabled." message on the
login screen. Which is WRONG since my account is neither disabled nor locked in
LDAP. My guess is this misleading message has something to do with
Authorization.
Our LDAP structure:
| o=idv
| ou=groups,o=idv
| ou=apps,ou=groups,o=idv
| ou=jbossportal,ou=apps,ou=groups,o=idv
| cn=Administrators,ou=jbossportal,ou=apps,ou=groups,o=idv
| cn=Users,ou=jbossportal,ou=apps,ou=groups,o=idv
|
| ou=people,o=idv
| ou=apps,ou=people,o=idv
| cn=admin,ou=apps,ou=people,o=idv
| ou=employees,ou=people,o=idv
| ou=al,ou=employees,ou=people,o=idv
| cn=acm3,ou=al,ou=employees,ou=people,o=idv
|
Note that the admin I am using to authenticate is in a different container in
the tree. My account (acm3) is where most employees would be.
The two groups mentioned have various users in them. In the Administrators
case, Admin and ACM3 are both members. Yet when Admin logs in, the "Admin" link
doesn't appear in the portal window. And ACM3 cannot log in at all.
What could I be missing here? There were no messages on the console log or in
server.log that something was wrong.
I've included the ldap_identity-config.xml below:
| <identity-configuration>
| <datasources>
| <datasource>
| <name>LDAP</name>
| <config>
| <option>
| <name>host</name>
| <value>idv1-lab.oag.state.tx.us</value>
| </option>
| <option>
| <name>port</name>
| <value>389</value>
| </option>
| <option>
| <name>adminDN</name>
| <value>cn=portalsystem,ou=apps,ou=people,o=idv</value>
| </option>
| <option>
| <name>adminPassword</name>
| <value>password</value>
| </option>
| <!--<option>
| <name>protocol</name>
| <value>ssl</value>
| </option>-->
| </config>
| </datasource>
| </datasources>
| <modules>
| <module>
| <!--type used to correctly map in IdentityContext registry-->
| <type>User</type>
| <implementation>LDAP</implementation>
| <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
| <config/>
| </module>
| <module>
| <type>Role</type>
| <implementation>LDAP</implementation>
| <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
| <config/>
| </module>
| <module>
| <type>Membership</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| <module>
| <type>UserProfile</type>
| <implementation>DELEGATING</implementation>
| <config>
| <option>
| <name>ldapModuleJNDIName</name>
| <value>java:/portal/LDAPUserProfileModule</value>
| </option>
| </config>
| </module>
| <module>
| <type>DBDelegateUserProfile</type>
| <implementation>DB</implementation>
| <config>
| <option>
| <name>randomSynchronizePassword</name>
| <value>true</value>
| </option>
| </config>
| </module>
| <module>
| <type>LDAPDelegateUserProfile</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| </modules>
|
| <options>
| <option-group>
| <group-name>common</group-name>
| <option>
| <name>userCtxDN</name>
| <value>ou=PEOPLE,o=IDV</value>
| </option>
| <option>
| <name>roleCtxDN</name>
| <value>ou=GROUPS,o=IDV</value>
| </option>
| <option>
| <name>userSearchFilter</name>
| <value>(cn={0})</value>
| </option>
| <option>
| <name>roleSearchFilter</name>
| <value>(cn={0})</value>
| </option>
| <option>
| <name>uidAttributeID</name>
| <value>cn</value>
| </option>
| <option>
| <name>passwordAttributeID</name>
| <value>password</value>
| </option>
| <option>
| <name>membershipAttributeId</name>
| <value>member</value>
| </option>
| <option>
| <name>membershipAttributeIsDN</name>
| <value>true</value>
| </option>
| </option-group>
| <option-group>
| <group-name>userCreateAttibutes</group-name>
| <option>
| <name>objectClass</name>
| <!--This objectclasses should work with Red Hat Directory-->
| <value>top</value>
| <value>person</value>
| <value>inetOrgPerson</value>
| </option>
| <!--Schema requires those to have initial value-->
| <option>
| <name>cn</name>
| <value>none</value>
| </option>
| <option>
| <name>sn</name>
| <value>none</value>
| </option>
| </option-group>
| <option-group>
| <group-name>roleCreateAttibutes</group-name>
| <!--Schema requires those to have initial value-->
| <option>
| <name>cn</name>
| <value>none</value>
| </option>
| <!--Some directory servers require this attribute to be valid DN-->
| <!--For safety reasons point to the admin user here-->
| <option>
| <name>member</name>
| <value>cn=portalsytem,ou=apps,ou=people,o=idv</value>
| </option>
| </option-group>
| </options>
| </identity-configuration>
|
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047666#4047666
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047666
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
