Glassfish and Windows Active Directory


J

jnem1281

has anyone experience with autentication and authorization. I get the
prompt for username and password - the wrong password gets again
prompt, correct password goes to error 403 page
web.xml:
<security-constraint>
<display-name>u¸ivatel</display-name>
<web-resource-collection>
<web-resource-name>users</web-resource-name>
<description>For all users</description>
<url-pattern>/domain_users/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>U¸íváci</description>
<role-name>DomainUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ELZEL_LDAP</realm-name>
</login-config>
<security-role>
<description>u¸ivatelé</description>
<role-name>DomainUsers</role-name>
</security-role>

mapping in sun-web.xml
<security-role-mapping>
<role-name>DomainUsers</role-name>
<group-name>Domain Users</group-name>
</security-role-mapping>

and setting in domain.xml
<auth-realm
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm"
name="ELZEL_LDAP">
<property name="directory" value="ldap://******.cz:389"/>
<property name="base-dn" value="DC=*****,DC=cz"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="search-bind-dn" value="******"/>
<property name="search-bind-password" value="******"/>
<property name="search-filter" value="(&(objectClass=user)
(sAMAccountName=%s))"/>
<property name="group-search-filter" value="(&(objectClass=group)
(member=%d))"/>
</auth-realm>

And I am in my wits end ... I have Admin rights in active Directory
and of course I am in Domain Users group (via other group) - I suspect
the code &(objectClass=group)(member=%d)) as problem, but what is
correct???
 
Ad

Advertisements

J

jnem1281

has anyone experience with autentication and authorization. I get the
prompt for username and password - the wrong password gets again
prompt, correct password goes to error 403 page
web.xml:
<security-constraint>
<display-name>u¸ivatel</display-name>
<web-resource-collection>
<web-resource-name>users</web-resource-name>
<description>For all users</description>
<url-pattern>/domain_users/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>U¸íváci</description>
<role-name>DomainUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ELZEL_LDAP</realm-name>
</login-config>
<security-role>
<description>u¸ivatelé</description>
<role-name>DomainUsers</role-name>
</security-role>

mapping in sun-web.xml
<security-role-mapping>
<role-name>DomainUsers</role-name>
<group-name>Domain Users</group-name>
</security-role-mapping>

and setting in domain.xml
<auth-realm
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm"
name="ELZEL_LDAP">
<property name="directory" value="ldap://******.cz:389"/>
<property name="base-dn" value="DC=*****,DC=cz"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="search-bind-dn" value="******"/>
<property name="search-bind-password" value="******"/>
<property name="search-filter" value="(&(objectClass=user)
(sAMAccountName=%s))"/>
<property name="group-search-filter" value="(&(objectClass=group)
(member=%d))"/>
</auth-realm>

And I am in my wits end ... I have Admin rights in active Directory
and of course I am in Domain Users group (via other group) - I suspect
the code &(objectClass=group)(member=%d)) as problem, but what is
correct???

Problem is solved - the user has to be direct member of group (not a
member of group that is member of requested group) and moreover it
cannot be a "primary" group of the user ...

If anyone can fix the problem above - hint is welcome.

JN
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top