Version 1
Created by tkulibaev on Aug 11, 2015 6:54 AM. Last modified by tkulibaev on Aug 11, 2015 6:54 AM.

    Hello, dears.

     

    Thank you for reading my question.

    In my JBoss EAP 6.4.0 I have successfully setup LDAP-connection to MS Active Directory (port 636, ldaps) for http-management.

    LDAP-authentication works fine;  also RBAC was setup successfully. So appropriate domain users can login to JBoss Adminstration Console with their domain accounts.  It seems all is ok.

    Diving deeper into the LDAP-connection configuration I can say that there is a special account in MS Active Drectory which was created for JBoss to connect to LDAP, named "jaas-jboss-user"  - this account is used by JBoss EAP to connect to LDAP for authentication, authorization (LDAP group loading).   So in spite of the fact that any user enteres his domain login/password (for login to JBoss console)  JBoss EAP uses   special account "jaas-jboss-user" for authentication and LDAP groups loading.   So LDAP outbound-connection looks like below:


    <outbound-connections>

      <ldap name="ldapS_connection" url="ldaps://xxx.xxx.xxx:636 ldaps://xxx.xxx.xxx:636" search-dn="CN=jaas-jboss-user,CN=xxx,DC=xxx,DC=xxx,DC=xxx" search-credential="${VAULT::VAULT_BLOCK::LDAP_account_pwd::1}"/>

    </outbound-connections>


    You see that "jaas-jboss-user" is in use by JBoss EAP to connect to LDAP.  At the same time people use their domain logins/passwords to connect to JBoss Adminstration Console.   I need remove "jaas-jboss-user" from configuration completely and use domain users logins/passwords (which are entered by the users at login time to console) for authentication / authorization purposes.  So I changed  configuration:

     

                    <authentication>

                        <truststore path="/......jks" keystore-password="${VAULT::VAULT_BLOCK_TRUSTSTORE::Truststore_pwd::1}"/>

                        <ldap connection="ldapS_connection" base-dn="DC=core,DC=bta,DC=kz" recursive="true">

                            <!-- username-filter attribute="saMAccountName"/-->

                            <advanced-filter filter="(&amp;(sAMAccountName={0}))"/>

                        </ldap>

                    </authentication>

     

    So with this config JBoss must send entered user login to LDAP.

    Main question is - how can I send user password to LDAP ?   I tried like below but failed:

     

            <outbound-connections>

                <ldap name="ldapS_connection" url="ldaps://xxx.xxx.xxx:636 ldaps://xxx.xxx.xxx:636" search-dn="CN='sAMAccountName={0}',DC=xxx,DC=xxx,DC=xx" search-credential="(&amp;(password={1}))"/>

            </outbound-connections>

     

    I have tried many expressions for search-credential  but no result. 

    Could you please to advice me how to send entered user password to AD ?

     

    Thank you,

    T.K.

    2164 Views Categories: Configure, Secure, Troubleshoot Tags: