The jdbc AuthoritesPopulator returns roles from the database as
'editor', 'register' etc.
The acegi DefaultLdapAuthoritiesPopulator defaults to converting
groupRoleAttribute values
to uppercase and prefixing with 'ROLE_' hence it was returning
'ROLE_EDITOR',
'ROLE_REGISTER' etc to roller. The properties can be over-ridden eg:-
<property name="rolePrefix"> <value>""</value></property>
<property
name="convertToUpperCase"><value>false</value></property>
Hope this helps anyone else trying to use ldap authorisation.
Steve
Steve McCain wrote:
Thanks Dave. Yes there is a groupSearchFilter property in acegi that
defaults to member - I've
set it to "(uniqueMember={0})" in DefaultLdapAuthoritiesPopulator in
security.xml.
The ldap seach is now finding me as a uniqueMember of the groups but
I'm still getting 403 errors.
In the userrole table in the database I have a single entry with a
rollname of 'editor' & have therefore
assumed that I needed to be in a ldap group of cn=editor, ou=groups,
dc.... etc. I also set ou to be 'editor'
and have tried using either cn or ou as groupRoleAttribute - I get 403
regardless. I've tried with
and without being a member of a 'register' group & again this makes no
difference.
How can I turn on logging to see what roller is doing? What exactly
does roller need to get
from the ldap search to grant access?
Steve
