2.4.2.3. Defining Role Search
The AdvancedLdapLoginModule passes the properties that define the search for a particular user and its roles to the LDAP server.
Important
The following role search settings are similar to the LdapExtLoginModule settings; however, the recursion now finds the roles listed within a DN.
- rolesCtxDN
- defines the fixed DN of the context to search for user roles; consider that this is not the Distinguished Name of the location where the actual roles are but the DN of the location where the objects containing the user roles are (that is, for Active Directory, this is the DN where the user account is).
- roleFilter
- defines the search filter used to locate the roles of the authenticated user. The input username/userDN as obtained from the login module callback substitutes the
{0}
expression in the filter definition. The authenticated userDN substitutes the{1}
in the filter definition. An example search filter that matches the input username is(member={0})
. An alternative that matches the authenticated userDN is(member={1})
.Note
If you omit the roleFilter attribute, the role search will use the UserDN as the DN to obtain the roleAttributeID value. - roleAttributeID
- defines the name of the role attribute of the context that corresponds to the name of the role. If the roleAttributeIsDN property is set to
true
, this property is the DN of the context to query for the roleNameAttributeID attribute. If the roleAttributeIsDN property is set tofalse
, this property is the attribute name of the role name. - roleAttributeIsDN
- defines if the role attribute contains the fully distinguished name of a role object or the role name. If
false
, the role name is taken from the value of the user's role attribute. Iftrue
, the role attribute represents the distinguished name of a role object. The role name is taken from the value of the roleNameAttributeId attribute of the corresponding object. In certain directory schemas (for example, Microsoft Active Directory), role (group)attributes in the user object are stored as DNs to role objects and not as simple names. In such case, set this property totrue
. The default value of this property isfalse
. - roleNameAttributeID
- defines the role attribute of the context which corresponds to the name of the role. If the roleAttributeIsDN property is set to
true
, this property is used to find the name attribute of the role object. If the roleAttributeIsDN property is set tofalse
, this property is ignored. - recurseRoles
- defines if the recursive role search is enabled. The login module tracks already added roles to handle cyclic references.
- searchScope
- allows to limit the search scope to one of the following (the default value is
SUBTREE_SCOPE
):- OBJECT_SCOPE - searches the named roles context only.
- ONELEVEL_SCOPE - searches directly in the named roles context.
- SUBTREE_SCOPE - searches only the object if the role context is not a DirContext?. If the roles context is a DirContext?, the subtree rooted at the named object and the named object itself are searched.
- searchTimeLimit
- defines the timeout for the user/role searches in milliseconds (defaults to 10000, that is 10 seconds).
Note
Both searches use the same searchTimeLimit setting.