JSAS9 and LDAP
Hi All -
Sorry for the cross-post, I hadn't realized that there was a JSAS-specific forum.
I've been trying to get LDAP auth to work correctly under JSAS9 but am not sure what the security principle to role mappings are supposed to look like. So far, the Administrator's guide has been zero help wrt this.
I'm authenticating against a windows 2003 server (active directory) that operates in Windows 2000 compatibility mode. I've included all the options for authing to AD, and I can packet sniff and see that my login to my web app is authenticating correctly (ldap success on bind using my bind-dn and bind-password, then success again on binding using my user-supplied credentials). I get permission denied to my web app, though, meaning that my user, once authenticated, is never mapped to a security role (I think?).
My web.xml has role permissions that work for my app (when authing against file, for example), but my sun-web.xml...I'm not sure what to do with it. My user is 'Bob Smith' with userid 'bob' in the windows domain 'ad.test.com'. A query succeeds for sAMAccountName=bob,cn=Users,dc=ad,dc=test,dc=com, and returns the 'real' ID of CN=Bob Smith,cn=Users,dc=ad,dc=test,dc=com. Auth then succeeds when JSAS9 submits that real ID with the password (simple auth).
My role mapping looks thusly:
<security-role-mapping>
<role-name>myWebAppAllowedRole</role-name>
<principal-name>bob</principal-name>
<principal-name>sAMAccountName=bob</principal-name>
<principal-name>cn=Bob Smith</principal-name>
</security-role-mapping>
(It was my understanding that mapping several principals to the same role should be fine, though maybe not?) bob never gets mapped to the role for any of these choices, though. To make things more annoying, no error is reported in JSAS9's logs (if I type in the wrong password, I do get an auth failure message, but correct password and successful ldap auth gives me nothing). Is there a special way to declare principals as ldap principals in sun-web.xml? Or a way to see what's causing the auth error so that I can be sure that I'm correct in my role assumption?
Cheers, and thanks,
Reid
