Getting Roles from People via LDAP

[petermoser]

I try to login in my webapplication which I have secured with acegi.

Here ist my LDAP config Entry:

Code:

	...
	<bean id="initialDirContextFactory" 
            class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
      <constructor-arg value="ldap://xxxxxxxxxxx:389/dc=x,dc=y"/>
      <property name="managerDn"><value>cn=admin,dc=cfc,dc=inhouse</value></property>
      <property name="managerPassword"><value>admin</value></property>
    </bean>

    <bean id="userSearch"
            class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch">
      <constructor-arg index="0">
        <value></value>
      </constructor-arg>
      <constructor-arg index="1">
        <value>(uid={0})</value>
      </constructor-arg>
      <constructor-arg index="2">
        <ref local="initialDirContextFactory" />
      </constructor-arg>            
      <property name="searchSubtree">
        <value>true</value>
      </property>            
    </bean>            
            
    <bean id="ldapAuthProvider" 
            class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
      <constructor-arg>
        <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
           <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
           <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
        </bean>
      </constructor-arg>
      <constructor-arg>
        <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
           <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
           <constructor-arg><value>ou=Roles</value></constructor-arg>
         	<property name="groupRoleAttribute"><value>ou</value></property>           
           <!--
           <property name="groupRoleAttribute"><value>ou=Roles</value></property>
   		   <property name="rolePrefix"><value>ROLE_</value></property>
   		   <property name="convertToUpperCase"><value>true</value></property>           
   		   -->
        </bean>
      </constructor-arg>
    </bean>
    ...
    
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  <property name="objectDefinitionSource">
    <value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT 
				/secure/admin/*=ROLE_ADMIN
				/secure/app/*=ROLE_USER
    </value>
  </property>
</bean>	

...

My LDAP-Server contains People and Roles which you can see on the attached image




As you can see in the code above I secured one directory with the role ROLE_ADMIN and another wirh ROLE_USER. My Problem is that I can login in my application, but I can not access the resources above. In my Logfile I can see that the Username and the password is correct - in that case username:test3, password:test3

Code:

...
2006-02-15 18:52:27,328 [http-8180-Processor25] DEBUG org.acegisecurity.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@0: Username: org.acegisecurity.userdetails.User@3106c80: Username: test3; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 18FAD448CB589791E45C9816783D0348; Granted Authorities: 
2006-02-15 18:52:27,328 [http-8180-Processor25] DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext;hashCode=11150143]: org.acegisecurity.event.authorization.AuthorizationFailureEvent[source=FilterInvocation: URL: /secure/admin/initadmin.htm]
2006-02-15 18:52:27,328 [http-8180-Processor25] DEBUG org.acegisecurity.ui.ExceptionTranslationFilter - Access is denied (user is not anonymous); sending back forbidden response
org.acegisecurity.AccessDeniedException: Access is denied
...

the user test3 has the ROLE_ADMIN in my LDAP config. Under ROLE_ADMIN I have following line:

Code:

uid=test3,ou=People,dc=x,dc=y

The Problem is that access is denied to this user and I have no idea what I can change to get access. Maybe my configuration-Xml is wrong or a additional Property is missing.

I am using acegi-Framework 1.0 RC2. I hope somebody has any idea about my problem! Thanks in advance!

[Luke Taylor]

Your user isn't being allocated any roles - "Granted Authorities: ;"

You don't say how the user DNs are stored under the roles. The default is to search for "member=DN", so unless you have a "member" attribute set to uid=test3,ou=People,dc=x,dc=y under your ROLE_ADMIN it probably won't work. You should also be able to perform the search yourself, using ldapsearch for example, before you try it with Acegi:

ldapsearch -h somehost -p 389 -b ou=Roles,dc=x,dc=y -x -D<manager DN> -w password "member=uid=test3,ou=People,dc=x,dc=y"

Check the debug output from the LDAP classes to make sure they're doing the right search for roles.