On 21/03/11 6:31 PM, forums_at_java.net wrote:
> hi,
>
> i want to port a existing application from websphere application
> server 7
> to glassfish. for this to work i need ldap for security. this application
> hast 20+ groups with diffrent rolles in the application.
>
> the first step was to create a new security realm. Configurations >
> server-config > Security > Realms > new
>
> domain1.xml content:
>
> <auth-realm name="ldapAuth"
> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> <property description="null" name="directory"
> value="ldap://ldapserver:389"></property> <property
> description="null" name="base-dn" value="dc=company"></property>
> <property name="jaas-context"
> value="ldapRealm"></property> <property
> name="search-bind-password" value="password"></property>
> <property name="search-bind-dn"
> value="uid=authuser,cn=test,cn=com,dc=company"></property>
> </auth-realm>
> this config works because when i enter a non existing username or the
> wrong
> password i get the right response from the ldap server. but what doessent
> work is the mapping from the ldap groups to the security roles.
>
> here is a snipped of the was7 ibm-application-bnd.xml:
>
> <application-bnd
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="http://websphere.ibm.com/xml/ns/javaee"
> xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
> http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
> version="1.0"> <security-role name="ADMIN"> <group
> name="cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY"/>
> </security-role>
> and here is the gallsfish-application.xml:
>
> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glassfish-application
> PUBLIC
> "-//GlassFish.org//DTD GlassFish Application Server 3.1 Java EE
> Application
> 6.0//EN" "http://glassfish.org/dtds/glassfish-application_6_0-1.dtd">
> <glassfish-application> <security-role-mapping>
> <role-name>ADMIN</role-name>
> <group-name>cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY</group-name>
>
> </security-role-mapping>
> when i try to login with a user who has this ADMIN group i always get
> a 403
> permission denied. but with no further message.
>
> i also changed the <group-name> to just ADMIN. because i thought that the
> other cn and dc information is distracting glassfish. but this also i not
> working.
>
> in the web.xml i havent changed anything since the app is working fine
> on the
> WAS7.
>
> i also added <property name="group-target"
> value="ibm-allgroups"></property>
> to the domain.xml but with this i get a nullpointer exception:
>
> WARNUNG: SEC1106: Error during LDAP search with filter
> [uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
> Caught exception. java.lang.NullPointerException at
> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
>
> at
> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
>
> at
> com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
>
> so my problem is that the ldap response does somehow not contain the
> group
> information of the logged in user, or maybe the mapping is wrong in the
> config? if anyone has a good idea what i may have done wrong, please
> give me
> a hint ;)
>
We are sorry to hear it is not working. From the description it seems
like it should have worked. Are you using GF 3.1 release build ?.
Can you add <property name="group-search-filter"
value="cn=%s"></property> in additon to group-target.
It appears the current group search filter that it is showing the logs
above [uniquemember=uid=admin1,o=company,c=com,dc=company]
is incorrect for you LDAP settings.
Also send me the full stack trace of the NPE that you mention above, so
we can fix the NPE issue on our trunk and do something more meaningful
instead of an NPE.
Another data point would be to try explicit role to principal mapping in
glassfish-application.xml and see if that works. That will validate that
the LDAP setup is otherwise fine.
When you wrote gallsfish-application.xml there is a spelling mistake
there, i hope the physical file is named correctly otherwise your
mappings (role to group) would be ignored.
regards,
kumar
>
> --
>
> [Message sent by forum member 'mike_ko']
>
> View Post: http://forums.java.net/node/783668
>
>