login-config.xml for OSX OpenDirectory
If your looking to deploy a JBoss server on OSX and wish to use the OpenDirectory user accounts for authentication, here is an example an application-policy to add to your login-config.xml.
NOTE: you will need to change the following:
java.naming.provider.url=[YourOsxServer|your osx server]
baseCtxDN=[YourLDAPSearchBase|your LDAP Search base] (you'll find this in Server Admin/OpenDirectory
rolesCtxDN=[YourLDAPSearchBaseCngroups|your LDAP Search base + cn=groups]
The rest should just work. you'll be able to connect to this via jaas.
If your using seam then you need to add the following to your components.xml
<security:identity authenticate-method="{authenticator.authenticate}" jaas-config-name="osx" />
<application-policy name="osx">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://ldap.domain.org:389/
</module-option>
<module-option name="java.naming.security.authentication">
simple
</module-option>
<module-option name="baseCtxDN">dc=domain,dc=org</module-option>
<module-option name="baseFilter">(Uid={0})</module-option>
<module-option name="rolesCtxDN">cn=groups,dc=domain,dc=org</module-option>
<module-option name="roleFilter">(memberUid={0})</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleRecursion">1</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
Comments