I am trying to establish an LDAP realm. I have successfully set up a simple
realm that connects to our companies ldap server. With this anyone in the
company can now connect to my glassfish server. However I need to restrict
access to only those within a specific group.
The valid group is reflected in the following ldapsearch command:
ldapsearch -x -h corpatsdc1 -b "cn=focus,ou=lifelong
groups,dc=corp,dc=lifelong,dc=com" -s sub -D "dsargrad_at_lifelong.com" -W
This command successfully returns the individuals in the "focus" group that
I want to give access to.
By the way I was able to get this mechanism working just fine with the file
realm. Within that realm I just created a list of ppl to provide access to,
and only those ppl were able to log in. However I dont want to force ppl to
have to remember a separate login, hence ldap.
How should I set group-search-filter and other options (e.g. search-filter)
to allow only someone from the focus group (as seen in the above ldapsearch)
to have access to my domain?
If I dont use a group-search-filter and set my search-filter to
(&(objectClass=user)(sAMAccountName=%s)) then anyone can get in. This is not
good.
If I set my group-search-filter to
(&(objectClass=group)(member=cn=focus,ou=lifelong
groups,dc=corp,dc=lifelong,dc=com)) and leave my search-filter in place then
it seems to ignore my group-search-filter (ppl can still log in because of
the search-filter).. If i then delete my search-filter and leave only that
group-search-filter then no one can log in.
I'm completely confused. I have not been able to find any good examples of a
glassfish ldap realm setting for "members of a group". The few references
that I have found point me to a simple Sun description of realm strings,
which really does not seem to help. I'd also love to find a solid tutorial
on ldap realm configuration.
Can someone please help me to understand how this filter should be set?
Thanks in advance for any ideas.
--
View this message in context: http://www.nabble.com/LDAP-Realm%2C-Searching-for-member-of-group%2C-or-one-of-several-members-tp22989384p22989384.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.