Details
Major Description
Please consider my pull request: https://github.com/apache/karaf/pull/44
When trying to configure LDAPLoginModule for use with Active Directory, I could not find a way with the current configuration to have the authorization work properly due to the use of the member attribute in AD. I saw the %fqdn in the code but unfortunately that would not work properly when search subtree is set to true. I think %fqdn should actually be removed and replaced with my code, but didn't want to touch it just in case. I put in 2.3.x branch as I want to see this make it into the next Fuse6.x release.
With this modification, the following example will work properly with Active Directory as the LDAP server.
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="2"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=fuseService@mdw.local connection.password=xxxxxxx connection.protocol= connection.url=ldap://dc01.mdw.local:389 user.base.dn=ou=Users,ou=mdw,DC=mdw,DC=local user.filter=(sAMAccountName=%u) user.search.subtree=true role.base.dn=ou=Groups,ou=mdw,DC=mdw,DC=local role.name.attribute=cn role.filter=(member=%nsdn) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> </blueprint>