[jboss-user] [Security & JAAS/JBoss] - JBoss 4.0.5.GA LdapLoginModule - terminology confusion

Mon, 24 Sep 2007 22:58:46 -0700 

I have read section 8.5.3.5 LdapLoginModule in the Admin Guide at least twenty 
times.  I have managed to configure this module so that a userid is correctly 
recognised when attempting to access a protected we page.

I seem to be totally unable to correctly specify how a users role should be 
looked up by the login module.  I considered myself reasonably knowlegeable in 
LDAP concepts (up until now).

Using OpenLDAP as my ldap server, my LDAP server root is dc=saanich,dc=ca 
my users are stored within ou=People 
and my roles are stored within ou=Groups,ou=Webapp-Roles.
The objects in this context are objectClass=groupOfNames with cn=[role name] 
and users specified as a set of member=[userDN] attributes.

Because users are being authenticated accurately but access is being denied 
when it should be granted, I believe that I must be misinterpreting one of the 
role related configuration options below.

I suspect that someone will be able to point out a silly conceptual error 
somewhere below.  Is so, I will be humbly grateful.  Thanks in advance.

=======================
The login-config.xml is:
    <application-policy name="SaanichIntranet">
      
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" 
flag="required">
          <module-option 
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
          <module-option 
name="java.naming.provider.url">ldap://IT-Manager:389/</module-option>
          <module-option 
name="java.naming.security.authentication">simple</module-option>
          <module-option name="principalDNPrefix">cn=</module-option>
          <module-option 
name="principalDNSuffix">,ou=People,dc=saanich,dc=ca</module-option>
          <module-option name="uidAttributeID">cn</module-option>
          <module-option 
name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option>
          <module-option name="roleNameAttributeID">cn</module-option>
          <module-option name="matchOnUserDN">true</module-option>
          <module-option name="roleAttributeID">member</module-option>
          <module-option name="roleAttributeIsDN">true</module-option>
        </login-module>
      
    </application-policy>

=======================


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088267#4088267

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088267
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to