This

chung wrote on 06/17/2010 04:44 PM:
>          <Subjects name="mySubjects" description="">
>              <Subject name="YAQPservice" type="LDAPUsers"
> includeType="inclusive">
>                  <AttributeValuePair>
>                      <Attribute name="Values"/>
>                      <Value>uid=YAQPservice, ou=groups,
> dc=opentox,dc=org</Value>
>                  </AttributeValuePair>
>              </Subject>
>              <Subject name="Sopasakis" type="LDAPUsers"
> includeType="inclusive">
>                  <AttributeValuePair>
>                      <Attribute name="Values"/>
>                      <Value>uid=Sopasakis, ou=groups,
> dc=opentox,dc=org</Value>
>                  </AttributeValuePair>
>              </Subject>
>          </Subjects>

is wrong. For example:

>              <Subject name="YAQPservice" type="LDAPUsers"
> includeType="inclusive">
>                  <AttributeValuePair>
>                      <Attribute name="Values"/>
>                      <Value>uid=YAQPservice, ou=groups,
> dc=opentox,dc=org</Value>
>                  </AttributeValuePair>
>              </Subject>

I guess it's like that:

In your version, upon authorization, OpenSSO looks for the token user, 
identified by attribute "uid", in the LDAP branch "ou=groups, 
dc=opentox,dc=org". There are no users in that branch, so no user 
"YAQPService" also.

If you had specified "LDAPGroups", upon authorization, OpenSSO will look 
for membership of the token user in a group called "YAQPService". 
Furthermore, this group is identified by attribute "uid". This fails 
because all groups are identified by "cn", not "uid". Even if you had 
specified "cn", there is no group "YAQPService".

Regards
Andreas