I'm using a federated repository in WAS v8.0.0.5. That federated repo contains a JDBC repo, 3 Active Directory LDAP repos, and a file-based repo. The repos are set to a realm and domain, which is used by a Java EE 6 enterprise application. I'm implementing Java EE 6 Security, specifically Servlet Spec 3.0 authentication.
Within the app, I'm able to log in and authenticate users from all of the repos, however I cannot obtain the user's role for all of the repos except the JDBC repo. Specifically, I mean using Servelet Spec 3.0's request.isUserInRole(). The correct groups and users appear within WAS's Admin Console (VMM). I'm mapping groups to application roles via the .ear project's ibm-application-bnd.xml. I've checked the spelling/spaces of the mappings. Everything is correct. I've checked the .war project's web.xml too for any typos. Everything looks fine. Since the JDBC repo works with no problems, I've compared its .ear and .war role-to-group mappings to the LDAP mappings.
I've discovered that if I map specific users to groups in ibm-application-bnd.xml for the LDAP repos, the users' roles can then be confirmed. This inidicates to me that there's something wrong with my mapping configuration between Active Directory Users and Groups.
As far as config goes, I'll talk about 1 of the LDAP repos:
I have Group defined in LDAP entity types as being mapped to Object Classes group;groupOfNames;groupOfUniqueNames (I think group is just needed, but I've been trying anything to figure this out).
PersonAccount is mapped to the Object Class user.
Out of desperation, I've also created a Supported LDAP attribute named memberOf and mapped it to the PersonAccount entity type.
As far as the Group attribute definiition, I've set "Name of group membership attribute" to "memberof" and specified a scope of "Direct". I also tried "memberOf", which didn't change anything.
Using Apache Directory Studio to browse Active Directory, I can confirm that user and group are the two object classes I'm seeking.
Can someone please shed some light on what I have wrong with the config?
It took me a while, but I finally figured it out!
I needed to declare an access-id attribute within the group tag in ibm-application-bnd.xml.
Within the WAS admin console, click on Security --> Security domains --> Your domain --> Expand User Realm (Customize for this domain should be selected) --> and click on Manage users, you'll see a list of your all your groups, whether they're groups resulting from a JDBC Custom User Registry, LDAP repo, or flat-file repo.
You want to use the Unique Name field for your LDAP repos. Copy that name and then paste it into your ibm-application-bnd.xml as so:
<security-role name="ADMIN">
<group name="SomeArbitraryGroupName" access-id="group:yourRealm/CN=SomeArbitraryGroupName,OU=Groups,OU=SomeDivision,OU=SomeLocatoin,o=distinguishedNameOfABaseEntry"/>
</security-role>
If there's a better way to accomplish this task, that would be great to know. Otherwise, I hope that this post helps others out there weeding through IBM's obfuscated, missing, and or scattered documentation on this subject.