member is not a OU DN: cn=admin, ou=roles,ou=system where member=uid=jdoe is a attribute of cn=admin
My query works fine in ApacheDS Studio with search base = ou=roles,ou=system filter = (member=uid=jdoe) and return cn=admin, ou=roles,ou=system containing member=uid=jdoe On Thu, Oct 6, 2011 at 11:48 AM, Jean-Baptiste Onofré <[email protected]> wrote: > Hi Charles, > > the role.filter doesn't look correct to me. The "member" is an ou ? > In that case the filter should be (&(ou=member)(uid=%s)). > > Regards > JB > > On 10/06/2011 11:32 AM, Charles Moulliard wrote: >> >> connection.url is correct as the user has been authenticated. There is >> an issue with roles checking >> >> On Thu, Oct 6, 2011 at 11:21 AM, Kuhtz, Andreas<[email protected]> >> wrote: >>> >>> Hi, >>> >>> It could be that the connection.url is not correct (we had this in our >>> project). We had to add the /dc=.... . >>> See https://cwiki.apache.org/DIRxSRVx11/enablesearchforallusers.html >>> >>> Regards >>> Andi >>> >>> -----Original Message----- >>> From: Charles Moulliard [mailto:[email protected]] >>> Sent: Donnerstag, 6. Oktober 2011 10:57 >>> To: user >>> Subject: LDAP Authentication - karaf 2.1.6 fail >>> >>> Hi, >>> >>> I try to use LDAP authentication with Karaf 2.1.6 but the it fails >>> with roles based verification. >>> >>> 10:49:50,518 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Create >>> the LDAP initial context. >>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bound >>> access requested. >>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the >>> user DN. >>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>> Initialize the JNDI LDAP Dir Context. >>> 10:49:50,771 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Define >>> the subtree scope search control. >>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking >>> for the user in LDAP with >>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base >>> DN: ou=users,ou=system >>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>> filter: (uid=jdoe) >>> 10:49:50,789 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the >>> user DN. >>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bind >>> user (authentication). >>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Set the >>> security principal for uid=jdoe,ou=users,ou=system >>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Binding >>> the user. >>> 10:49:50,808 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | User >>> jdoe successfully bound. >>> 10:49:50,810 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get user >>> roles. >>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking >>> for the user roles in LDAP with >>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base >>> DN: ou=roles,ou=system >>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>> filter: (member:=uid=jdoe) >>> >>> Is the following syntax correct ? >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; >>> xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; >>> >>> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"; >>>> >>> >>> <jaas:config name="karaf" rank="1"> >>> <jaas:module >>> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" >>> flags="required"> >>> >>> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory >>> connection.username=uid=admin,ou=system >>> connection.password=secret >>> connection.protocol= >>> connection.url = ldap://localhost:10389 >>> user.base.dn = ou=users,ou=system >>> user.filter = (uid=%u) >>> user.search.subtree = true >>> role.base.dn = ou=roles,ou=system >>> role.filter = (member:=uid=%u) >>> role.name.attribute = cn >>> role.search.subtree = true >>> authentication = simple >>> </jaas:module> >>> </jaas:config> >>> </blueprint> >>> >>> ApacheDS >>> ========= >>> version: 1 >>> >>> dn: ou=system >>> objectClass: organizationalUnit >>> objectClass: extensibleObject >>> objectClass: top >>> ou: system >>> >>> dn: uid=admin,ou=system >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: inetOrgPerson >>> objectClass: tlsKeyInfo >>> objectClass: top >>> cn: system administrator >>> keyAlgorithm: RSA >>> privateKey:: xxxxxxx >>> privateKeyFormat: PKCS#8 >>> publicKey:: xxxxx >>> publicKeyFormat: X.509 >>> sn: administrator >>> displayName: Directory Superuser >>> uid: admin >>> userCertificate:: xxxxxx >>> userPassword:: c2VjcmV0 >>> >>> dn: ou=users,ou=system >>> objectClass: organizationalUnit >>> objectClass: top >>> ou: users >>> >>> dn: ou=roles,ou=system >>> objectClass: organizationalUnit >>> objectClass: top >>> ou: roles >>> >>> dn: cn=admin,ou=roles,ou=system >>> objectClass: groupOfNames >>> objectClass: top >>> cn: admin >>> member: uid=jdoe >>> >>> dn: uid=jdoe,ou=users,ou=system >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: inetOrgPerson >>> objectClass: top >>> cn: John Doe >>> sn: Doe >>> uid: jdoe >>> userPassword:: c2VjcmV0 >>> >>> Charles Moulliard >>> >>> Apache Committer >>> >>> Blog : http://cmoulliard.blogspot.com >>> Twitter : http://twitter.com/cmoulliard >>> Linkedin : http://www.linkedin.com/in/charlesmoulliard >>> Skype: cmoulliard >>> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com >
