Home/ Questions/Q 7948083
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T01:37:10+00:00

I am trying to setup an LDAP LoginModule (using BrowserLdapLoginModule ). The user/password is

  • 0

I am trying to setup an LDAP LoginModule (using BrowserLdapLoginModule). The user/password is correctly; it retrieves the roles from the user but when it tries to extract the CN value it cannot find the values.

I have followed the process, and in the end the failure is that I get a javax.naming.NameNotFoundException in the following line

NamingEnumeration roleAnswer = ctx.search(searchBaseDN, roleFilter, roleconstraints);

with the following values (doble quotes not included):

  • searchBaseDN(String) = “OU=Roles,DC=siafake,DC=aplssib”
  • roleFilter(String) = “(distinguishedName=CN=Urgencias,OU=Roles,DC=siafake,DC=aplssib)”
  • derefRoleAttribute(String[] = { “cn” };

With that data, I expect the search to return me Urgencias, yet I only get the exception. It is not a permissions issue, since with the same user/password I can browse the LDAP tree without problem.

Any idea / suggestion? Thanks in advance.

LDAP capture

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, here is the answer that I found (also, some clarifications to the comments from Terry Gardner comments)

    My sysadmins gave me user A (“system” user, that can connect and browse the LDAP). The user that will connect to my application would b user F (final user). When asked about samples to configure my jboss, they redirected my to the BrowserLdapModuleLogin (BLML).

    Turns out, BLML works by doing an initial connection with user A, for retrieving user F data (full LDAP “name”).

    After that, a new connection is setup using user F connection data to validate user/password and retrieve the groups (memberOf attribute) to which it belongs. Until this point, all works as it should (at least with our setup).

    The trouble began when I did setup the option to just get the “CN” value (instead of CN=value,OU=organization....). By setting up this option, the module tries again to login as user F into the roles tree to get the attribute. But it happens that F does not have permissions to do so.

    As the module was provided by our IT people and I am new to LDAP, I assumed I was just setting up something wrong, and I did not want to change anything in the code. In the end, it happens that in the system that uses it, this module was used only for authentication; the roles were extracted from another DB and I have been forced to code around this issue.

    Sorry for the annoyances…

    • 0