I've written a new article describing how to integrate Seam Security with OpenLDAP, using the new features in Seam 2.1.0. You can read the article here. Comments are welcome here, enjoy.
Tags: Seam News
Created: 12. Sep 2008, 13:13 CET (Shane Bryzak)
Last Modified: 12. Sep 2008, 13:15 CET (Shane Bryzak)
The link is broken. The correct version adds an to articles: My Link
Adam
Hello Shane, I have an article on how to authenticate on Apache DS, it's written in portuguese, but nothing that a google translator could help. Here's the link: My Link. I'm preparing the second part that uses the Identity Management to create users, and soon one for permissions.
Regards
Thanks for the link Vinicius. I'm still hoping to get my hands on some kind of Windows server running Active Directory too, that way most of the major LDAP directories will be covered.
I setup openldap on ubuntu and i was able to integrate seam with open ldap.
You should not hijack an existing schema to add your attributes to. Please create your own.
Thanks.
I'm trying to built an application that authenticates via LDAP, and i have used your configuration.
But i have a problem, my LDAP users are identified via cn and not uid as usual, so wend i try to authenticate them with the username(uid) i get this error
[LDAP: error code 49 - Invalid Credentials]
but if i configure the user-DN-prefix="cn=" instead of "uid=" i am able to authenticate the users with is canonical name, but this is not what i want.
My Question:
How can i set the users to be searched for uid instead of cn in my ldap-identity-store configuration?
Thanks in advance
Paulo
Hi !
I have the same problem. Have you find a solution ?
Thanks ! Nicolas
Shane i have tested it, but the role groups are not working. Do I need to setup anything additional for it?.
When i create a role as member of another role, The role is create but the member of property in the list stays blank. When i edit a role and try to save the role it fails.
Regards
In relation to my question about groups. 1. I have reviewed the source code, the method addRoleToGroup is not implemented. 2. It was failing because there was a problem in the method roleExists, i have patched this method implemented the same functionality that is in userExists method.
Regards
Great article. An alternative to the process of downloading openldap: since you are already using cygwin, select the optional openldap package from the cygwin net category. Then all you have to do is update the config files. Thanks!
I did so as the article.My DIT document is like this:
dn: dc=peercoaching,dc=cn
objectClass: dcObject
objectClass: organization
o: peercoaching
dc: peercoaching
description: peercoaching dot cn
dn: cn=manager,dc=peercoaching,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: manager
userPassword: secret
description: ldap administrator
dn: ou=Person,dc=peercoaching,dc=cn
objectClass: organizationalUnit
objectClass: top
description: user
dn: ou=Roles,dc=peercoaching,dc=cn
objectClass: organizationalUnit
objectClass: top
description: roles
dn: cn=admin,ou=Roles,dc=peercoaching,dc=cn
objectClass: organizationalRole
objectClass: top
dn: uid=lidongxing,cn=admin,ou=Roles,dc=peercoaching,dc=cn
roles: cn=admin,ou=Roles,dc=peercoaching,dc=cn
objectClass: person
objectClass: uidObject
objectClass: top
uid: lidongxing
sn: li
cn: lidongxing
userPassword: lidongxing
enabled: TRUE
description: entity user
but i can't login the seamspace as the usrname "lidongxing" password "lidongxing"
why?
I hope get the answer qucikly.
Thank you.
with the .ldif ,the LDAP service run successfully. but I can't login seamspace.
I saw your detailed description on how to connect the LDAP-Server, given the supplied LDAP-schema.
I need to create a small LDAP-administration tool and would like to use LdapIdentityStore as well. As I need to connect to an existing and running LDAP-Server, I am not allowed to change the schema nor the hirachy of the entries. To give you an impression of the hirachy, pls see an excerpt of the LDAP-schema below. The main difference to the schema presented by you is, that there are a list of organizations in the level below the base-dn and the users are again one level below within the different organizations. Roles (captured in objectClass) and users are not seperated but on the same level:
# maincompany.at
dn: dc=maincompany,dc=at
dc: maincompany
objectClass: dcObject
objectClass: organization
o: maincompany
# admin, maincompany.at
dn: cn=admin,dc=maincompany,dc=at
objectClass: organizationalRole
cn: admin
# subcompany.at, maincompany.at
dn: o=subcompany.at,dc=maincompany,dc=at
gidNumber: 501
objectClass: companyOrganization
o: subcompany.at
cn: subcompany.at
# user1, subcompany.at, maincompany.at
dn: cn=user1,o=subcompany.at,dc=maincompany,dc=at
objectClass: posixAccount
objectClass: companyPerson
cn: user1.subcompany.at
cn: user1
uidNumber: 501
gidNumber: 501
uid: user1.subcompany.at
# user2, subcompany.at, maincompany.at
dn: cn=user2,o=subcompany.at,dc=maincompany,dc=at
objectClass: posixAccount
objectClass: companyPerson
cn: user2.subcompany.at
cn: user2
uidNumber: 502
gidNumber: 501
uid: user2.subcompany.at
# subcompany2.at, maincompany.at
dn: o=subcompany2.at,dc=maincompany,dc=at
gidNumber: 502
objectClass: companyOrganization
o: subcompany2.at
cn: subcompany2.at
# user1, subcompany2.at, maincompany.at
dn: cn=user1,o=subcompany2.at,dc=maincompany,dc=at
objectClass: posixAccount
objectClass: companyPerson
cn: user1.subcompany2.at
cn: user1
uidNumber: 503
gidNumber: 502
uid: user1.subcompany2.at
My components.xml is configured as follows:
<security:identity-manager identity-store="#{ldapIdentityStore}"/>
<!-- Original value user-DN-prefix="cn=", role-DN-prefix="netproRole=" -->
<security:ldap-identity-store
server-address="192.168.0.19"
bind-DN="cn=admin,dc=maincompany,dc=at"
bind-credentials="secret"
user-DN-prefix="uid="
user-DN-suffix=""
role-DN-prefix=""
role-DN-suffix=""
user-context-DN="dc=maincompany,dc=at"
role-context-DN="dc=maincompany,dc=at"
user-role-attribute="companyPerson"
role-name-attribute=""
user-object-classes="posixAccount,companyPerson"
enabled-attribute="enabled"
/>
The term "<security:identity/>" is left out as I wanna use the default method for authentication.
The pages used are the ones created via the Seam Integration in Eclipse (JBossTools). When I try to logon I receive the following error message:
[SeamLoginModule] Error invoking login method
As I saw you seem to be quite deep in the topic, I thought you might be able to help me with my request.
Thanks a lot in advance!
Regards, Markus
Hi Shane,
I am trying to authenticate users against Windows Active directory. I am following security chapter given in seam reference manual to configure Ldap-identity-store in my components.xml file. Here are my components.xml and login.xhtml files.
<?xml version="1.0" encoding="UTF-8"?> <components xmlns="http://jboss.com/products/seam/components" xmlns:core="http://jboss.com/products/seam/core" xmlns:persistence="http://jboss.com/products/seam/persistence" xmlns:drools="http://jboss.com/products/seam/drools" xmlns:bpm="http://jboss.com/products/seam/bpm" xmlns:security="http://jboss.com/products/seam/security" xmlns:mail="http://jboss.com/products/seam/mail" xmlns:web="http://jboss.com/products/seam/web" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://jboss.com/products/seam/core http://jboss.com/products/seam/core-2.2.xsd http://jboss.com/products/seam/persistence http://jboss.com/products/seam/persistence-2.2.xsd http://jboss.com/products/seam/drools http://jboss.com/products/seam/drools-2.2.xsd http://jboss.com/products/seam/bpm http://jboss.com/products/seam/bpm-2.2.xsd http://jboss.com/products/seam/security http://jboss.com/products/seam/security-2.2.xsd http://jboss.com/products/seam/mail http://jboss.com/products/seam/mail-2.2.xsd http://jboss.com/products/seam/web http://jboss.com/products/seam/web-2.2.xsd http://jboss.com/products/seam/components http://jboss.com/products/seam/components-2.2.xsd"> <core:init debug="true" jndi-pattern="@jndiPattern@"/> <core:manager concurrent-request-timeout="500" conversation-timeout="120000" conversation-id-parameter="cid" parent-conversation-id-parameter="pid"/> <!-- Make sure this URL pattern is the same as that used by the Faces Servlet --> <web:hot-deploy-filter url-pattern="*.seam"/> <persistence:entity-manager-factory name="entityManagerFactory" persistence-unit-name="user"/> <persistence:managed-persistence-context name="entityManager" auto-create="true" entity-manager-factory="#{entityManagerFactory}"/> <drools:rule-base name="securityRules"> <drools:rule-files><value>/security.drl</value></drools:rule-files> </drools:rule-base> <security:rule-based-permission-resolver security-rules="#{securityRules}"/> <!--<security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true" />--> <security:identity-manager identity-store="#{ldapIdentityStore}" /> <security:ldap-identity-store name="ldapIdentityStore" server-address="intra.cogitate-it.com" server-port="389" bind-DN="CN=Administrator,CN=Users,DC=intra,DC=cogitate-it,DC=com" bind-credentials="W3lc0m3" user-DN-prefix="cn=" user-name-attribute="cn" user-DN-suffix=",OU=HQ, OU=DEV, dc=intra, dc=cogitate-it, dc=com" user-context-DN="OU=HQ, OU=DEV, dc=intra, dc=cogitate-it, dc=com" user-object-classes="user" /> <!-- newly added on 09-04-10--> <!-- <identity-management:jpa-identity-store name="identityStore" account-class="com.user.Customer"/> --> <!-- add ended--> <event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> </event> <mail:mail-session host="localhost" port="25"/> <!-- For use with jBPM pageflow or process management --> <!-- <bpm:jbpm> <bpm:process-definitions></bpm:process-definitions> <bpm:pageflow-definitions></bpm:pageflow-definitions> </bpm:jbpm> --> </components>Login.xhtml
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ui:composition xmlns="http://www.w3.org/1999/xhtml" xmlns:s="http://jboss.com/products/seam/taglib" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:f="http://java.sun.com/jsf/core" xmlns:h="http://java.sun.com/jsf/html" xmlns:rich="http://richfaces.org/rich" template="layout/templateLogin.xhtml"> <ui:define name="body"> <h:form id="loginForm"> <rich:panel> <f:facet name="header">Login</f:facet> <p>Please login here</p> <div class="dialog"> <h:panelGrid columns="2" rowClasses="prop" columnClasses="name,value"> <h:outputLabel for="username">Username</h:outputLabel> <h:inputText id="username" value="#{credentials.username}"/> <h:outputLabel for="password">Password</h:outputLabel> <h:inputSecret id="password" value="#{credentials.password}"/> <h:outputLabel for="rememberMe">Remember me</h:outputLabel> <h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/> </h:panelGrid> </div> <!-- <p> <i>Note - </i> You may login with the username 'admin' and a blank password. </p>--> </rich:panel> <div class="actionButtons"> <h:commandButton id="submit" value="Login" action="#{identity.login}"/> </div> </h:form> </ui:define> </ui:composition>i get the following error
Do i need to write any seam component to authenticate jus like Authenticator.java? Please help me in solving my problem.
Thanks Vasuki