users@glassfish.java.net

Glassfish 3.1 LDAP groups not registering?

From: <forums_at_java.net>
Date: Mon, 21 Mar 2011 08:01:53 -0500 (CDT)

hi,

i want to port a existing application from websphere application server  7
to glassfish. for this to work i need ldap for security. this application
hast 20+ groups with diffrent rolles in the application.

the first step was to create a new security realm. Configurations >
server-config > Security > Realms > new

domain1.xml content:

       <auth-realm name="ldapAuth"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
          <property description="null" name="directory"
value="ldap://ldapserver:389"></property>           <property
description="null" name="base-dn" value="dc=company"></property>
          <property name="jaas-context"
value="ldapRealm"></property>           <property
name="search-bind-password" value="password"></property>          
<property name="search-bind-dn"
value="uid=authuser,cn=test,cn=com,dc=company"></property>        
</auth-realm>
this config works because when i enter a non existing username or the wrong
password i get the right response from the ldap server. but what doessent
work is the mapping from the ldap groups to the security roles.

here is a snipped of the was7 ibm-application-bnd.xml:

<application-bnd     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://websphere.ibm.com/xml/ns/javaee"    
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">   <security-role name="ADMIN">     <group
name="cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY"/>  
</security-role>
and here is the gallsfish-application.xml:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glassfish-application PUBLIC
"-//GlassFish.org//DTD GlassFish Application Server 3.1 Java EE Application
6.0//EN" "http://glassfish.org/dtds/glassfish-application_6_0-1.dtd">
<glassfish-application>   <security-role-mapping>    
<role-name>ADMIN</role-name>    
<group-name>cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY</group-name>
  </security-role-mapping>
when i try to login with a user who has this ADMIN group i always get a 403
permission denied. but with no further message.

i also changed the <group-name> to just ADMIN. because i thought that the
other cn and dc information is distracting glassfish. but this also i not
working.

in the web.xml i havent changed anything since the app is working fine on the
WAS7.

i also added <property name="group-target" value="ibm-allgroups"></property>
to the domain.xml but with this i get a nullpointer exception:

WARNUNG: SEC1106: Error during LDAP search with filter
[uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
Caught exception. java.lang.NullPointerException at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
at
com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
so my problem is that the ldap response does somehow not contain the group
information of the logged in user, or maybe the mapping is wrong in the
config? if anyone has a good idea what i may have done wrong, please give me
a hint ;)


--
[Message sent by forum member 'mike_ko']
View Post: http://forums.java.net/node/783668