users@glassfish.java.net

LDAP Realm, Searching for member of group, or one of several members

From: DSargrad <dsargrad_at_sensis.com>
Date: Fri, 10 Apr 2009 08:06:09 -0700 (PDT)

I am trying to establish an LDAP realm. I have successfully set up a simple
realm that connects to our companies ldap server. With this anyone in the
company can now connect to my glassfish server. However I need to restrict
access to only those within a specific group.

The valid group is reflected in the following ldapsearch command:

ldapsearch -x -h corpatsdc1 -b "cn=focus,ou=lifelong
groups,dc=corp,dc=lifelong,dc=com" -s sub -D "dsargrad_at_lifelong.com" -W

This command successfully returns the individuals in the "focus" group that
I want to give access to.

By the way I was able to get this mechanism working just fine with the file
realm. Within that realm I just created a list of ppl to provide access to,
and only those ppl were able to log in. However I dont want to force ppl to
have to remember a separate login, hence ldap.

How should I set group-search-filter and other options (e.g. search-filter)
to allow only someone from the focus group (as seen in the above ldapsearch)
to have access to my domain?

If I dont use a group-search-filter and set my search-filter to
(&(objectClass=user)(sAMAccountName=%s)) then anyone can get in. This is not
good.

If I set my group-search-filter to
(&(objectClass=group)(member=cn=focus,ou=lifelong
groups,dc=corp,dc=lifelong,dc=com)) and leave my search-filter in place then
it seems to ignore my group-search-filter (ppl can still log in because of
the search-filter).. If i then delete my search-filter and leave only that
group-search-filter then no one can log in.

I'm completely confused. I have not been able to find any good examples of a
glassfish ldap realm setting for "members of a group". The few references
that I have found point me to a simple Sun description of realm strings,
which really does not seem to help. I'd also love to find a solid tutorial
on ldap realm configuration.

Can someone please help me to understand how this filter should be set?

Thanks in advance for any ideas. 

-- 
View this message in context: http://www.nabble.com/LDAP-Realm%2C-Searching-for-member-of-group%2C-or-one-of-several-members-tp22989384p22989384.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.