Announcement Announcement Module
Collapse
No announcement yet.
LdapPasswordAuthenticationDao and roleContext Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LdapPasswordAuthenticationDao and roleContext

    I recently grabbed the ldap stuff from the sandbox and am trying to implement this but have a couple of questions for anyone familiar with it.

    I'm able to successfully authenticate against the LDAP directory but am not able to return the roles based on the users group membership. I think the reason is due to my roleContext configuration which I don't fully understand. My configuration at this stage is as follows...

    Code:
    <bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
             <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property> 
             <property name="rootContext"><value>o=GroupWare,c=AU</value></property> 
             <!-- here &#123;0&#125; is the username -->
             <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
             <property name="roleContext"><value>objectClass=groupOfNames</value></property> 
    <!--		<property name="userRolesAttribute"><value>memberOf</value></property>-->
             <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
               and &#123;1&#125; is the username. -->
             <property name="roleAttributesSearchFilter"><value>&#40;member=&#123;0&#125;&#41;</value></property> 
             <property name="roleNameAttribute"><value>member</value></property>
             <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property>  
         </bean>
    using ldap search to list all groups results in group objects similar to this

    CN=WebsiteReaders
    cn=WebsiteReaders
    mail=[email protected]
    objectClass=top
    objectClass=groupOfNames
    objectClass=dominoGroup
    member=CN=Frank Zappa,O=GroupWare,C=AU
    member=CN=Sun Ra,O=GroupWare,C=AU
    The ldap directory is coming from a Lotus Notes / Domino server.

    the following ldap search command returns all groups in the directory:

    ldapsearch -h groupware_3 "objectClass=groupOfNames"

    which is why I thought "objectClass=groupOfNames" might be a valid roleContext. Obviously i'm on the wrong track here though.

    Can anyone see from the information posted here what would be valid values for the following properties:
    - roleContext
    - roleAttributesSearchFilter
    - roleNameAttribute

    thanks,
    rob

  • #2
    Since I'm the one who added this I'll try and answer it... Let me start by saying that I am still working on learning LDAP, and have a long way to go.
    • roleContext - should be something lile ou=Groups,o=GroupWare,c=AU (or maybe just o=GroupWare,c=AU); this is the initial point where the LDAP directory will be searched from.
    • roleAttributesSearchFilter - this one looks pretty much correct to me. You might try changing it to (|(objectClass=groupOfNames)(member={0})) which will only return objects which are of objectClass "groupOfNames" and have the user as a member.
    • roleNameAttribute - I believe you want this to be cn.

    Comment


    • #3
      Thanks this makes a little more sense now. I'm still experiencing problems though. I get the error show below in the log...

      Does this error indicate that there's something wrong with the role context used or that it can't find a match within that context ?

      The following ldapsearch command produces valid results:

      ldapsearch -h groupware_3 "(&(member=Rob Monie)(objectClass=groupOfNames))"

      It feels like i'm very close but still missing something obvious

      Code:
      DEBUG - LdapPasswordAuthenticationDao.loadUserByUsernameAndPassword&#40;699&#41; | Connecting to ldap&#58;//groupware_3&#58;389/o=GroupWare,c=AU as Rob Monie
      INFO - LdapPasswordAuthenticationDao.getRolesFromRoleSearch&#40;544&#41; | Unable to find user-role match in context = o=GroupWare,c=AU
      javax.naming.NameNotFoundException&#58; &#91;LDAP&#58; error code 32 - No Such Object&#93;; remaining name 'o=GroupWare,c=AU'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode&#40;LdapCtx.java&#58;3013&#41;
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode&#40;LdapCtx.java&#58;2934&#41;
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode&#40;LdapCtx.java&#58;2740&#41;
      	at com.sun.jndi.ldap.LdapCtx.searchAux&#40;LdapCtx.java&#58;1811&#41;
      	at com.sun.jndi.ldap.LdapCtx.c_search&#40;LdapCtx.java&#58;1734&#41;
      	at com.sun.jndi.ldap.LdapCtx.c_search&#40;LdapCtx.java&#58;1751&#41;
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search&#40;ComponentDirContext.java&#58;394&#41;
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search&#40;PartialCompositeDirContext.java&#58;362&#41;
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search&#40;PartialCompositeDirContext.java&#58;346&#41;
      	at javax.naming.directory.InitialDirContext.search&#40;InitialDirContext.java&#58;253&#41;
      	at net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao.getRolesFromRoleSearch&#40;LdapPasswordAuthenticationDao.java&#58;539&#41;
      	at net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao.loadUserByUsernameAndPassword&#40;LdapPasswordAuthenticationDao.java&#58;705&#41;
      	at net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider.getUserFromBackend&#40;PasswordDaoAuthenticationProvider.java&#58;292&#41;
      	at net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider.authenticate&#40;PasswordDaoAuthenticationProvider.java&#58;177&#41;
      	at net.sf.acegisecurity.providers.ProviderManager.doAuthentication&#40;ProviderManager.java&#58;159&#41;
      	at net.sf.acegisecurity.AbstractAuthenticationManager.authenticate&#40;AbstractAuthenticationManager.java&#58;49&#41;
      	at net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication&#40;AuthenticationProcessingFilter.java&#58;90&#41;
      	at net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter&#40;AbstractProcessingFilter.java&#58;356&#41;
      	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;311&#41;
      	at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter&#40;HttpSessionContextIntegrationFilter.java&#58;217&#41;
      	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;311&#41;
      	at net.sf.acegisecurity.util.FilterChainProxy.doFilter&#40;FilterChainProxy.java&#58;179&#41;
      	at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter&#40;ApplicationFilterChain.java&#58;233&#41;
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter&#40;ApplicationFilterChain.java&#58;204&#41;
      	at org.apache.catalina.core.StandardWrapperValve.invoke&#40;StandardWrapperValve.java&#58;256&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;151&#41;
      	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;564&#41;
      	at org.apache.catalina.core.StandardContextValve.invokeInternal&#40;StandardContextValve.java&#58;245&#41;
      	at org.apache.catalina.core.StandardContextValve.invoke&#40;StandardContextValve.java&#58;199&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;151&#41;
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke&#40;AuthenticatorBase.java&#58;509&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;149&#41;
      	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;564&#41;
      	at org.apache.catalina.core.StandardHostValve.invoke&#40;StandardHostValve.java&#58;195&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;151&#41;
      	at org.apache.catalina.valves.ErrorReportValve.invoke&#40;ErrorReportValve.java&#58;164&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;149&#41;
      	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;564&#41;
      	at org.apache.catalina.core.StandardEngineValve.invoke&#40;StandardEngineValve.java&#58;156&#41;
      	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;151&#41;
      	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;564&#41;
      	at org.apache.catalina.core.ContainerBase.invoke&#40;ContainerBase.java&#58;972&#41;
      	at org.apache.coyote.tomcat5.CoyoteAdapter.service&#40;CoyoteAdapter.java&#58;211&#41;
      	at org.apache.coyote.http11.Http11Processor.process&#40;Http11Processor.java&#58;805&#41;
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection&#40;Http11Protocol.java&#58;696&#41;
      	at org.apache.tomcat.util.net.TcpWorkerThread.runIt&#40;PoolTcpEndpoint.java&#58;605&#41;
      	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run&#40;ThreadPool.java&#58;677&#41;
      	at java.lang.Thread.run&#40;Thread.java&#58;534&#41;
      My new config is as follows

      Code:
      	<bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
               <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property> 
               <property name="rootContext"><value>o=GroupWare,c=AU</value></property> 
               <!-- here &#123;0&#125; is the username -->
               <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
               <property name="roleContext"><value>o=GroupWare,c=AU</value></property> 
      <!--		<property name="userRolesAttribute"><value>memberOf</value></property>-->
               <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
                 and &#123;1&#125; is the username. -->
               <property name="roleAttributesSearchFilter"><value><!&#91;CDATA&#91;&#40;&&#40;member=&#123;0&#125;&#41;&#40;objectClass=groupOfNames&#41;&#41;&#93;&#93;></value></property> 
               <property name="roleNameAttribute"><value>cn</value></property>
               <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property>  
           </bean>

      Comment


      • #4
        Ok, the error you are getting is because the rootContext is appended onto the userContext. A quick test against my server looks like something like the following should work:

        Code:
        <bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
            <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property>
            <!-- here &#123;0&#125; is the username -->
            <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
            <property name="roleContext"><value>o=GroupWare,c=AU</value></property>
            <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
               and &#123;1&#125; is the username. -->
            <property name="roleAttributesSearchFilter"><value><!&#91;CDATA&#91;&#40;&&#40;member=&#123;0&#125;&#41;&#40;objectClass=groupOfNames&#41;&#41;&#93;&#93;></value></property>
            <property name="roleNameAttribute"><value>cn</value></property>
            <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property> 
        </bean>

        Comment


        • #5
          I ended up getting this working by removing the root context as you suggested and also removing the roleContext. I believe this is due to the fact that our ldap directory does not have heirarchical groups. I know very little about ldap so i'm not sure whether this is common or not. However, for the moment it all appears to be working so thanks again for your help.

          Comment

          Working...
          X