That does not change if I use member=uid=%u or member:=uid=%u
On Thu, Oct 6, 2011 at 12:04 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > OK, got it :) > > role.filter should contain (member=uid=%u) and not (member:=uid=%u). > > Let me check how I construct the role search filter. > > Regards > JB > > On 10/06/2011 12:01 PM, Charles Moulliard wrote: >> >> member is not a OU >> >> DN: cn=admin, ou=roles,ou=system >> where member=uid=jdoe is a attribute of cn=admin >> >> My query works fine in ApacheDS Studio with >> >> search base = ou=roles,ou=system >> filter = (member=uid=jdoe) >> >> and return >> cn=admin, ou=roles,ou=system >> containing member=uid=jdoe >> >> On Thu, Oct 6, 2011 at 11:48 AM, Jean-Baptiste Onofré<j...@nanthrax.net> >> wrote: >>> >>> Hi Charles, >>> >>> the role.filter doesn't look correct to me. The "member" is an ou ? >>> In that case the filter should be (&(ou=member)(uid=%s)). >>> >>> Regards >>> JB >>> >>> On 10/06/2011 11:32 AM, Charles Moulliard wrote: >>>> >>>> connection.url is correct as the user has been authenticated. There is >>>> an issue with roles checking >>>> >>>> On Thu, Oct 6, 2011 at 11:21 AM, Kuhtz, Andreas<andreas.ku...@atos.net> >>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> It could be that the connection.url is not correct (we had this in our >>>>> project). We had to add the /dc=.... . >>>>> See https://cwiki.apache.org/DIRxSRVx11/enablesearchforallusers.html >>>>> >>>>> Regards >>>>> Andi >>>>> >>>>> -----Original Message----- >>>>> From: Charles Moulliard [mailto:cmoulli...@gmail.com] >>>>> Sent: Donnerstag, 6. Oktober 2011 10:57 >>>>> To: user >>>>> Subject: LDAP Authentication - karaf 2.1.6 fail >>>>> >>>>> Hi, >>>>> >>>>> I try to use LDAP authentication with Karaf 2.1.6 but the it fails >>>>> with roles based verification. >>>>> >>>>> 10:49:50,518 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Create >>>>> the LDAP initial context. >>>>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bound >>>>> access requested. >>>>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the >>>>> user DN. >>>>> 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>>>> Initialize the JNDI LDAP Dir Context. >>>>> 10:49:50,771 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Define >>>>> the subtree scope search control. >>>>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking >>>>> for the user in LDAP with >>>>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base >>>>> DN: ou=users,ou=system >>>>> 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>>>> filter: (uid=jdoe) >>>>> 10:49:50,789 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the >>>>> user DN. >>>>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bind >>>>> user (authentication). >>>>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Set the >>>>> security principal for uid=jdoe,ou=users,ou=system >>>>> 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Binding >>>>> the user. >>>>> 10:49:50,808 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | User >>>>> jdoe successfully bound. >>>>> 10:49:50,810 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get user >>>>> roles. >>>>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking >>>>> for the user roles in LDAP with >>>>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base >>>>> DN: ou=roles,ou=system >>>>> 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule >>>>> | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | >>>>> filter: (member:=uid=jdoe) >>>>> >>>>> Is the following syntax correct ? >>>>> >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; >>>>> xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; >>>>> >>>>> >>>>> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"; >>>>>> >>>>> >>>>> <jaas:config name="karaf" rank="1"> >>>>> <jaas:module >>>>> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" >>>>> flags="required"> >>>>> >>>>> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory >>>>> connection.username=uid=admin,ou=system >>>>> connection.password=secret >>>>> connection.protocol= >>>>> connection.url = ldap://localhost:10389 >>>>> user.base.dn = ou=users,ou=system >>>>> user.filter = (uid=%u) >>>>> user.search.subtree = true >>>>> role.base.dn = ou=roles,ou=system >>>>> role.filter = (member:=uid=%u) >>>>> role.name.attribute = cn >>>>> role.search.subtree = true >>>>> authentication = simple >>>>> </jaas:module> >>>>> </jaas:config> >>>>> </blueprint> >>>>> >>>>> ApacheDS >>>>> ========= >>>>> version: 1 >>>>> >>>>> dn: ou=system >>>>> objectClass: organizationalUnit >>>>> objectClass: extensibleObject >>>>> objectClass: top >>>>> ou: system >>>>> >>>>> dn: uid=admin,ou=system >>>>> objectClass: person >>>>> objectClass: organizationalPerson >>>>> objectClass: inetOrgPerson >>>>> objectClass: tlsKeyInfo >>>>> objectClass: top >>>>> cn: system administrator >>>>> keyAlgorithm: RSA >>>>> privateKey:: xxxxxxx >>>>> privateKeyFormat: PKCS#8 >>>>> publicKey:: xxxxx >>>>> publicKeyFormat: X.509 >>>>> sn: administrator >>>>> displayName: Directory Superuser >>>>> uid: admin >>>>> userCertificate:: xxxxxx >>>>> userPassword:: c2VjcmV0 >>>>> >>>>> dn: ou=users,ou=system >>>>> objectClass: organizationalUnit >>>>> objectClass: top >>>>> ou: users >>>>> >>>>> dn: ou=roles,ou=system >>>>> objectClass: organizationalUnit >>>>> objectClass: top >>>>> ou: roles >>>>> >>>>> dn: cn=admin,ou=roles,ou=system >>>>> objectClass: groupOfNames >>>>> objectClass: top >>>>> cn: admin >>>>> member: uid=jdoe >>>>> >>>>> dn: uid=jdoe,ou=users,ou=system >>>>> objectClass: organizationalPerson >>>>> objectClass: person >>>>> objectClass: inetOrgPerson >>>>> objectClass: top >>>>> cn: John Doe >>>>> sn: Doe >>>>> uid: jdoe >>>>> userPassword:: c2VjcmV0 >>>>> >>>>> Charles Moulliard >>>>> >>>>> Apache Committer >>>>> >>>>> Blog : http://cmoulliard.blogspot.com >>>>> Twitter : http://twitter.com/cmoulliard >>>>> Linkedin : http://www.linkedin.com/in/charlesmoulliard >>>>> Skype: cmoulliard >>>>> >>> >>> -- >>> Jean-Baptiste Onofré >>> jbono...@apache.org >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >>> > > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com >
