LdapPasswordAuthenticationDao and roleContext

[robmonie]

I recently grabbed the ldap stuff from the sandbox and am trying to implement this but have a couple of questions for anyone familiar with it.

I'm able to successfully authenticate against the LDAP directory but am not able to return the roles based on the users group membership. I think the reason is due to my roleContext configuration which I don't fully understand. My configuration at this stage is as follows...

Code:

<bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
         <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property> 
         <property name="rootContext"><value>o=GroupWare,c=AU</value></property> 
         <!-- here &#123;0&#125; is the username -->
         <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
         <property name="roleContext"><value>objectClass=groupOfNames</value></property> 
<!--		<property name="userRolesAttribute"><value>memberOf</value></property>-->
         <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
           and &#123;1&#125; is the username. -->
         <property name="roleAttributesSearchFilter"><value>&#40;member=&#123;0&#125;&#41;</value></property> 
         <property name="roleNameAttribute"><value>member</value></property>
         <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property>  
     </bean>

using ldap search to list all groups results in group objects similar to this

CN=WebsiteReaders
cn=WebsiteReaders
mail=WebsiteReaders@company.com
objectClass=top
objectClass=groupOfNames
objectClass=dominoGroup
member=CN=Frank Zappa,O=GroupWare,C=AU
member=CN=Sun Ra,O=GroupWare,C=AU

The ldap directory is coming from a Lotus Notes / Domino server.

the following ldap search command returns all groups in the directory:

ldapsearch -h groupware_3 "objectClass=groupOfNames"

which is why I thought "objectClass=groupOfNames" might be a valid roleContext. Obviously i'm on the wrong track here though.

Can anyone see from the information posted here what would be valid values for the following properties:
- roleContext
- roleAttributesSearchFilter
- roleNameAttribute

thanks,
rob

[rrsIPOV]

Since I'm the one who added this I'll try and answer it... Let me start by saying that I am still working on learning LDAP, and have a long way to go.

• roleContext - should be something lile ou=Groups,o=GroupWare,c=AU (or maybe just o=GroupWare,c=AU); this is the initial point where the LDAP directory will be searched from.
  
• roleAttributesSearchFilter - this one looks pretty much correct to me. You might try changing it to (|(objectClass=groupOfNames)(member={0})) which will only return objects which are of objectClass "groupOfNames" and have the user as a member.
  
• roleNameAttribute - I believe you want this to be cn.
  

[robmonie]

Thanks this makes a little more sense now. I'm still experiencing problems though. I get the error show below in the log...

Does this error indicate that there's something wrong with the role context used or that it can't find a match within that context ?

The following ldapsearch command produces valid results:

ldapsearch -h groupware_3 "(&(member=Rob Monie)(objectClass=groupOfNames))"

It feels like i'm very close but still missing something obvious

Code:

DEBUG - LdapPasswordAuthenticationDao.loadUserByUsernameAndPassword(699) | Connecting to ldap://groupware_3:389/o=GroupWare,c=AU as Rob Monie
INFO - LdapPasswordAuthenticationDao.getRolesFromRoleSearch(544) | Unable to find user-role match in context = o=GroupWare,c=AU
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'o=GroupWare,c=AU'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1751)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:394)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:362)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:346)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:253)
	at net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao.getRolesFromRoleSearch(LdapPasswordAuthenticationDao.java:539)
	at net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao.loadUserByUsernameAndPassword(LdapPasswordAuthenticationDao.java:705)
	at net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider.getUserFromBackend(PasswordDaoAuthenticationProvider.java:292)
	at net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider.authenticate(PasswordDaoAuthenticationProvider.java:177)
	at net.sf.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:159)
	at net.sf.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
	at net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:90)
	at net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:356)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:217)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at net.sf.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:179)
	at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:233)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:509)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
	at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)
	at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
	at java.lang.Thread.run(Thread.java:534)

My new config is as follows

Code:

	<bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
         <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property> 
         <property name="rootContext"><value>o=GroupWare,c=AU</value></property> 
         <!-- here &#123;0&#125; is the username -->
         <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
         <property name="roleContext"><value>o=GroupWare,c=AU</value></property> 
<!--		<property name="userRolesAttribute"><value>memberOf</value></property>-->
         <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
           and &#123;1&#125; is the username. -->
         <property name="roleAttributesSearchFilter"><value><!&#91;CDATA&#91;&#40;&&#40;member=&#123;0&#125;&#41;&#40;objectClass=groupOfNames&#41;&#41;&#93;&#93;></value></property> 
         <property name="roleNameAttribute"><value>cn</value></property>
         <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property>  
     </bean>

[rrsIPOV]

Ok, the error you are getting is because the rootContext is appended onto the userContext. A quick test against my server looks like something like the following should work:

Code:

<bean id="ldapDaoImpl" class="net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao">
    <property name="URL"><value>ldap&#58;//groupware_3&#58;389/</value></property>
    <!-- here &#123;0&#125; is the username -->
    <property name="userContext"><value>cn=&#123;0&#125;,o=GroupWare,c=AU</value></property>
    <property name="roleContext"><value>o=GroupWare,c=AU</value></property>
    <!-- here &#123;0&#125; is the distinguished name &#40;which would be uid=USERNAME,ou=Users,dc=mycompany,cd=com
       and &#123;1&#125; is the username. -->
    <property name="roleAttributesSearchFilter"><value><!&#91;CDATA&#91;&#40;&&#40;member=&#123;0&#125;&#41;&#40;objectClass=groupOfNames&#41;&#41;&#93;&#93;></value></property>
    <property name="roleNameAttribute"><value>cn</value></property>
    <property name="defaultRole"><value>ROLE_EMPLOYEE</value></property> 
</bean>

[robmonie]

I ended up getting this working by removing the root context as you suggested and also removing the roleContext. I believe this is due to the fact that our ldap directory does not have heirarchical groups. I know very little about ldap so i'm not sure whether this is common or not. However, for the moment it all appears to be working so thanks again for your help.