Geronimo > OpenLDAP not quite right......

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Geronimo > OpenLDAP not quite right......

VPCL
Hi:

I'm currently using Geronimo 2.2 and OpenLDAP: slapd 2.3.43.

I’m trying to create an LDAP Security Realm on the Geronimo server that will query my OpenLDAP server. For the most part, it works. However, the realm cannot seem to differentiate between the two different groups on the LDAP server. Resulting in any member being authenticated no matter which group they belong to, which is not what I want. I’m only trying to authenticate users if they are members of the 'CLINICS' group.

Here’s how my LDAP is setup:

dc=mydomain,dc=on,dc=ca (objectClass=dcObject, organization)
  ou=groups (objectClass=organizationalUnit)
    cn=ADMIN (objectClass=groupOfUniqueNames)
    cn=CLINICS (objectClass=groupOfUniqueNames)
      uid=User1,ou=people,dc=mydomain,dc=on,dc=ca
      uid=User2,ou=people,dc=mydomain,dc=on,dc=ca
      uid=User3,ou=people,dc=mydomain,dc=on,dc=ca
    cn=SUPPLIERS (objectClass=groupOfUniqueNames)
      uid=Supplier1,ou=people,dc=mydomain,dc=on,dc=ca
      uid=Supplier2,ou=people,dc=mydomain,dc=on,dc=ca
  ou=people (objectClass=organizationalUnit)
    uid=User1 (objectClass=inetOrgPerson)
    uid=User2 (objectClass=inetOrgPerson)
    uid=User3 (objectClass=inetOrgPerson)
    uid=Supplier1 (objectClass=inetOrgPerson)
    uid=Supplier1 (objectClass=inetOrgPerson)

On the Geronimo Side, here is how I set up my realm:

Initial Context Factory: com.sun.jndi.ldap.LdapCtxFactory
Connection URL: ldap://localhost:389
Connect Username: cn=someuser,dc=mydomain,dc=on,dc=ca
Connect Password: secret
Confirm Password: secret
Connect Protocol:
Authentication: simple
User Base: ou=people,dc=mydomain,dc=on,dc=ca
User Search Matching: uid={0}
User Search Subtree: false
Role Base: cn=CLINICS,ou=groups,dc=vpcl,dc=on,dc=ca
Role Name: cn
Role User Search String: uid={0}
Role Search Subtree: false
User Role Search String: memberOf={0}


I’ve tried replacing the ‘User Search Matching’ and or the ‘Role User Search String’ with stuff like:

(&(uid={0})(cn=CLINICS,ou=groups,dc=mydomain,dc=on,dc=ca)(attr=uniqueMember))

But it’s just not working out.

On a side note: I do have Apache directives using this LDAP database as well as some PHP Applications. I just don’t know why I can’t get Geronimo to work with it.

Any help would be appreciated.

Thanks...

Fred
Reply | Threaded
Open this post in threaded view
|

Re: Geronimo > OpenLDAP not quite right......

David Jencks
My understanding of ldap is kinda limited but I think that you are asking to authenticate all your users under ou=people but that you want to assign permissions only to the CLINICS group.

If you want to only authenticate people in the clinics group you need a query that will only return those people.  I'm not sure how to construct such an ldap query.

hope this makes sense

david jencks


On Apr 3, 2013, at 2:10 PM, VPCL <[hidden email]> wrote:

> Hi:
>
> I'm currently using Geronimo 2.2 and OpenLDAP: slapd 2.3.43.
>
> I’m trying to create an LDAP Security Realm on the Geronimo server that will
> query my OpenLDAP server. For the most part, it works. However, the realm
> cannot seem to differentiate between the two different groups on the LDAP
> server. Resulting in any member being authenticated no matter which group
> they belong to, which is not what I want. I’m only trying to authenticate
> users if they are members of the 'CLINICS' group.
>
> Here’s how my LDAP is setup:
>
> dc=mydomain,dc=on,dc=ca (objectClass=dcObject, organization)
>  ou=groups (objectClass=organizationalUnit)
>    cn=ADMIN (objectClass=groupOfUniqueNames)
>    cn=CLINICS (objectClass=groupOfUniqueNames)
>      uid=User1,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=User2,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=User3,ou=people,dc=mydomain,dc=on,dc=ca
>    cn=SUPPLIERS (objectClass=groupOfUniqueNames)
>      uid=Supplier1,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=Supplier2,ou=people,dc=mydomain,dc=on,dc=ca
>  ou=people (objectClass=organizationalUnit)
>    uid=User1 (objectClass=inetOrgPerson)
>    uid=User2 (objectClass=inetOrgPerson)
>    uid=User3 (objectClass=inetOrgPerson)
>    uid=Supplier1 (objectClass=inetOrgPerson)
>    uid=Supplier1 (objectClass=inetOrgPerson)
>
> On the Geronimo Side, here is how I set up my realm:
>
> Initial Context Factory: com.sun.jndi.ldap.LdapCtxFactory
> Connection URL: ldap://localhost:389
> Connect Username: cn=someuser,dc=mydomain,dc=on,dc=ca
> Connect Password: secret
> Confirm Password: secret
> Connect Protocol:
> Authentication: simple
> User Base: ou=people,dc=mydomain,dc=on,dc=ca
> User Search Matching: uid={0}
> User Search Subtree: false
> Role Base: cn=CLINICS,ou=groups,dc=vpcl,dc=on,dc=ca
> Role Name: cn
> Role User Search String: uid={0}
> Role Search Subtree: false
> User Role Search String: memberOf={0}
>
>
> I’ve tried replacing the ‘User Search Matching’ and or the ‘Role User Search
> String’ with stuff like:
>
> (&(uid={0})(cn=CLINICS,ou=groups,dc=mydomain,dc=on,dc=ca)(attr=uniqueMember))
>
> But it’s just not working out.
>
> On a side note: I do have Apache directives using this LDAP database as well
> as some PHP Applications. I just don’t know why I can’t get Geronimo to work
> with it.
>
> Any help would be appreciated.
>
> Thanks...
>
> Fred
>
>
>
>
> --
> View this message in context: http://apache-geronimo.328035.n3.nabble.com/Geronimo-OpenLDAP-not-quite-right-tp3986519.html
> Sent from the Users mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Geronimo > OpenLDAP not quite right......

VPCL
Hi David:

You're quite right. I am trying to authenticate users in ou=people, and they must be members of the groupOfUniqueNames: 'CLINICS'. I've tried this sort of thing:

(&(uid={0})(cn=CLINICS,ou=groups,dc=mydomain,dc=on,dc=ca)(attr=uniqueMember))

But, I'm not getting it....
Reply | Threaded
Open this post in threaded view
|

Re: Geronimo > OpenLDAP not quite right......

jfield
I just saw this post today, as I have been working on debugging my own configuration of an OpenLDAP setup with the LDAPLoginModule.

As there is no logging on the Geronimo side, I would suggest turning on logging on the OpenLDAP server.  That would mean starting OpenLdap with additional -d -1 flags such as

${openldap.root}/lib/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap -d -1

At least this way you can see what OpenLDAP is returning to Geronimo (if anything).

HTH,
John