geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Geronimo > OpenLDAP not quite right......
Date Wed, 03 Apr 2013 22:10:05 GMT
My understanding of ldap is kinda limited but I think that you are asking to authenticate all
your users under ou=people but that you want to assign permissions only to the CLINICS group.

If you want to only authenticate people in the clinics group you need a query that will only
return those people.  I'm not sure how to construct such an ldap query.

hope this makes sense

david jencks


On Apr 3, 2013, at 2:10 PM, VPCL <vetpurch@hotmail.com> wrote:

> Hi:
> 
> I'm currently using Geronimo 2.2 and OpenLDAP: slapd 2.3.43.
> 
> I’m trying to create an LDAP Security Realm on the Geronimo server that will
> query my OpenLDAP server. For the most part, it works. However, the realm
> cannot seem to differentiate between the two different groups on the LDAP
> server. Resulting in any member being authenticated no matter which group
> they belong to, which is not what I want. I’m only trying to authenticate
> users if they are members of the 'CLINICS' group.
> 
> Here’s how my LDAP is setup:
> 
> dc=mydomain,dc=on,dc=ca		(objectClass=dcObject, organization)
>  ou=groups			(objectClass=organizationalUnit)
>    cn=ADMIN			(objectClass=groupOfUniqueNames)
>    cn=CLINICS			(objectClass=groupOfUniqueNames)
>      uid=User1,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=User2,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=User3,ou=people,dc=mydomain,dc=on,dc=ca
>    cn=SUPPLIERS			(objectClass=groupOfUniqueNames)
>      uid=Supplier1,ou=people,dc=mydomain,dc=on,dc=ca
>      uid=Supplier2,ou=people,dc=mydomain,dc=on,dc=ca
>  ou=people			(objectClass=organizationalUnit)
>    uid=User1			(objectClass=inetOrgPerson)
>    uid=User2			(objectClass=inetOrgPerson)
>    uid=User3			(objectClass=inetOrgPerson)
>    uid=Supplier1			(objectClass=inetOrgPerson)
>    uid=Supplier1			(objectClass=inetOrgPerson)
> 
> On the Geronimo Side, here is how I set up my realm:
> 
> Initial Context Factory: com.sun.jndi.ldap.LdapCtxFactory
> Connection URL: ldap://localhost:389
> Connect Username: cn=someuser,dc=mydomain,dc=on,dc=ca 
> Connect Password: secret
> Confirm Password: secret
> Connect Protocol:
> Authentication: simple
> User Base: ou=people,dc=mydomain,dc=on,dc=ca 
> User Search Matching: uid={0}
> User Search Subtree: false
> Role Base: cn=CLINICS,ou=groups,dc=vpcl,dc=on,dc=ca
> Role Name: cn
> Role User Search String: uid={0}
> Role Search Subtree: false
> User Role Search String: memberOf={0}
> 
> 
> I’ve tried replacing the ‘User Search Matching’ and or the ‘Role User Search
> String’ with stuff like:
> 
> (&(uid={0})(cn=CLINICS,ou=groups,dc=mydomain,dc=on,dc=ca)(attr=uniqueMember))
> 
> But it’s just not working out. 
> 
> On a side note: I do have Apache directives using this LDAP database as well
> as some PHP Applications. I just don’t know why I can’t get Geronimo to work
> with it.
> 
> Any help would be appreciated.
> 
> Thanks...
> 
> Fred
> 
> 
> 
> 
> --
> View this message in context: http://apache-geronimo.328035.n3.nabble.com/Geronimo-OpenLDAP-not-quite-right-tp3986519.html
> Sent from the Users mailing list archive at Nabble.com.


Mime
View raw message