LDAP Login Module Not Flexible Enough
It would be nice if the LDAPLoginModule allowed:
- Single bind (No user search)
- Authentication without authorization
I'm working with an existing LDAP server which I don't have control over. It doesn't allow anonymous binds and I don't have a special user just for making the initial bind and doing the search. Each user's account is priviledged enough to bind and search LDAP. In my scenario it seems like the user search part is unnecessary. I wanted to use GlassFish container managed security with JAAS so I've got a proof of concept working by using my personal account for the values in search-bind-dn and search-bind-password. This obviously isn't going into production like that though!
Another smaller issue is that my application only has two roles - a user and an admin. These roles are application specific so there are no groups in LDAP that I'm going to map to these roles. I just use the assign-groups configuration setting so that all users who authenticate successfully are given the user role. I call out specificly the one guy who is the application admin in the sun-web.xml. In my scenario the group lookup in LDAP is a waste (but it appears to not break anything though hence smaller issue).
It looks like I might have to create my own Realm and LoginModule to get around these two issues. However, my problems may just be a misunderstanding so please advise.