LDAP Realm and groups
Hi,
I'm developing a java web application to be run in Sun Application Server (from JES 2005Q4). I'm using declarative security. Everything works fine with the standard file realm.
However, I need to use and a LDAP realm. For that, I've setup Sun Directory Server (from JES 2005Q4) and populated it with some data (users and groups). The DIT has the following structure:
top-level: dc=oxys,dc=be
users are under: ou=IVSL,ou=People,dc=oxys,dc=be
for instance: dn: uid=jnc,ou=IVSL, ou=People,dc=oxys,dc=be
groups are under: ou=groups,dc=oxys,dc=be
for instance:
dn: cn=IVSL Users,ou=Groups, dc=oxys,dc=be
objectClass: top
objectClass: groupofuniquenames
cn: IVSL Users
uniqueMember: uid=jnc,ou=IVSL,ou=People,dc=oxys,dc=be
I've setup a ldap realm in Sun Application Server (specifying the directory, base-dn, jaas-context and group-base-dn parameters), I've setup my application to use that realm.
The authentication process works fine: when I try to reach the protected area of my application, I'm sent to the login form, where I enter credentials that are checked against the ldap server. I can see that if I enter wrong credentials, I'm sent to the login-error page. However, if I enter correct username/password, I get an 403 Access to the requested resource has been denied error, meaning that the user logged in has not the appropriate role; so I checked the LDAP server log (see below) and found out that everything works fine, but at step 3, LDAP is searched for objects that match filter (&(objectClass=groupofuniquenames)(objectClass=*groupofurls*)) and this one returns nothing, as my groups are not of the class "groupofurls".
I've been searching docs.sun.com, sunsolve.sun.com, swforum.sun.com, google for detailed info on how to configure ldap data to use ldap realms, but I could not find anymore info, so I'm asking you: how do I define my ldap data (namely the groups) so that mapping from ldap groups to application roles will work?
Thanks for any help you'd be able to provide.
Jean-Noel Colin
>From the log files of the LDAP Server
1. Check that user ivsl exists
##############################
[04/Oct/2006:13:52:59 +0200] conn=42 op=3 msgId=4 - SRCH base="ou=ivsl,ou=people,dc=oxys,dc=be" scope=2 filter="(uid=ivsl)" attrs="dn"
[04/Oct/2006:13:52:59 +0200] conn=42 op=3 msgId=4 - RESULT err=0 tag=101 nentries=1 etime=0
--> user exists
2. Search for groups to which user ivsl belongs
###############################################
[04/Oct/2006:13:52:59 +0200] conn=47 op=3 msgId=4 - SRCH base="ou=groups,dc=oxys,dc=be" scope=2 filter="(uniqueMember=uid=ivsl,ou=IVSL,ou=people,dc=oxys,dc=be)" attrs="cn"
[04/Oct/2006:13:52:59 +0200] conn=47 op=3 msgId=4 - RESULT err=0 tag=101 nentries=2 etime=0
--> ok, I found 2 groups
3. Retrieves groups to which user ivsl belongs
##############################################
[04/Oct/2006:13:52:59 +0200] conn=47 op=4 msgId=5 - SRCH base="ou=groups,dc=oxys,dc=be" scope=2 filter="(&(objectClass=groupofuniquenames)(objectClass=*groupofurls*))"[ /b] attrs="cn memberURL objectClass javaSerializedData javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames javaremotelocation"
[04/Oct/2006:13:52:59 +0200] conn=47 op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0
