Unable to get group from Ldap security domain

0
votes

I'm using jboss eap 6.4 with java 1.7. I'm building a jee app and now I'm trying to autheticate (and authorize) users with the company ldap.

I created the following security domain in my jboss:

            <security-domain name="abcDomain" cache-type="default">
                <authentication>
                    <login-module code="Ldap" flag="required">
                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                        <module-option name="java.naming.provider.url" value="ldap://abc.com.uy:389"/>
                        <module-option name="java.naming.security.authentication" value="simple"/>
                        <module-option name="principalDNPrefix" value="uid="/>
                        <module-option name="principalDNSuffix" value=",ou=Interns,dc=abc,dc=com,dc=uy"/>
                        <module-option name="searchTimeLimit" value="5000"/>
                        <module-option name="roleAttributeID" value="cn"/>
                        <module-option name="rolesCtxDN" value="ou=Groups,ou=Admin,dc=abc,dc=com,dc=uy"/>
                        <module-option name="uidAttributeID" value="member"/>
                        <module-option name="matchOnUserDN" value="true"/>
                        <module-option name="roleAttributeIsDN" value="false"/>
                    </login-module>
                </authentication>
            </security-domain>

I use it in my app to secure some web pages, the security constraint in the web.xml is as follows:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>pages</web-resource-name>
        <description>Security constraint for pages</description>
        <url-pattern>/pages/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>SCC-ADMIN</role-name>
        <role-name>SCC-RESPONSABLE</role-name>
        <role-name>SCC-CONSULTA</role-name>
    </auth-constraint>
</security-constraint>

The authentication part is working. Meaning that if I enter the wrong password or user I get an error, but if everything is correct I continue to the requested page(which returns a 403 error). When the user and passwords are correct I try to get the user roles with this code:

@ManagedBean
@SessionScoped
public class SesionController implements Serializable {
.
.
.
    @PostConstruct
    public void initSesionController() {
        usuario = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();

        sccAdmin = FacesContext.getCurrentInstance().getExternalContext().isUserInRole("SCC-ADMIN");
.
.
.

The "usuario" is correct. But the role is false. Also I get a 403 http error, since the role is not "being assigned" this seems logical.

I have in my ldap this group: cn=SCC-ADMIN,ou=Groups,ou=Admin,dc=abc,dc=com,dc=uy and this user, which I'm testing with, is indeed a member of the group uid=aviera,ou=Interns,dc=abc,dc=com,dc=uy

My guess is that the rolesCtxDN deffinition in the security-domain is wrong, but I had no luck trying to fix it (I have no experience with ldap, so I could be making an obvious mistake).

1
jakarta-eejbossldap

1 Answers

0
votes

I donwloaded a tool called jxplorer to view the ldap structure. I noticed that in the SCC-ADMIN group the members where stored in an attribute called uniqueMember, instead of member which I was indicating in the uidAttributeID property of the security domain. So changing that solved my problem.