users@glassfish.java.net

Re: LDAP Nested Groups

From: Bernhard Thalmayr <bernhard.thalmayr_at_painstakingminds.com>
Date: Tue, 22 Nov 2011 15:50:26 +0100

Looking at the code of 'LDAPRealm.java' it does not seem that it will be
capable handling nested groups ...(as this would be some recursive process
- check if the member of a group is itself a [dynamic] group).

-Bernhard

On Tue, Nov 22, 2011 at 9:07 AM, Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com
> wrote:

> if you think the filter's specified are correct you may want to look at
> LDAPRealm.java and see if there is a bug. Or please file a bug and let us
> know how we can reproduce it.
> On 21-Nov-2011, at 9:25 PM, forums_at_java.net wrote:
>
> > We are looking to port an existing Java application form WebSphere 7 to
> > GlassFish and have discovered an issue with nested groups.
> >
> > We have setup our realms and have got security working with specified
> users
> > and with single tier groups, however are struggling to get nested groups
> > working. Please find below one of pur realm configs.
> >
> > <auth-realm name="ACL-AD"
> > classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> > <property name="search-bind-dn" value="CN=websphere
> > admin,OU=ACL Users,DC=ACL,DC=MANCS"></property>
> > <property name="search-bind-password"
> > value="*******"></property>
> > <property name="search-filter"
> >
> value="(&amp;(objectCategory=person)(objectClass=user)(sAMAccountName=%s))"></property>
> > <property name="group-search-filter"
> > value="(&(objectCategory=group)(member=%d))"></property>
> > <property name="jaas-context"
> > value="ldapRealm"></property>
> > <property name="base-dn" value="OU=ACL
> > Users,DC=ACL,DC=MANCS"></property>
> > <property name="directory"
> > value="ldap://*.*.*.*:389"></property [1]>
> > </auth-realm>
> >
> > We have tried this configuration with both Active Directory and Apache
> > Directory Server so we are pretty sure it is'nt an issue with our
> directory
> > config.
> >
> > Thanks in advance for your help.
> >
> >
> > [1] http://www.java.net//*.*.*.*:389&quot;&gt;&lt;/property
> >
> > --
> >
> > [Message sent by forum member 'kytie']
> >
> > View Post: http://forums.java.net/node/866269
> >
> >
>
> 


-- 
IT-Consulting Bernhard Thalmayr
- Painstaking Minds -
83620 Vagen (Munich area)
Germany
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.