Hello, dears.
Thank you for reading my question.
In my JBoss EAP 6.4.0 I have successfully setup LDAP-connection to MS Active Directory (port 636, ldaps) for http-management.
LDAP-authentication works fine; also RBAC was setup successfully. So appropriate domain users can login to JBoss Adminstration Console with their domain accounts. It seems all is ok.
Diving deeper into the LDAP-connection configuration I can say that there is a special account in MS Active Drectory which was created for JBoss to connect to LDAP, named "jaas-jboss-user" - this account is used by JBoss EAP to connect to LDAP for authentication, authorization (LDAP group loading). So in spite of the fact that any user enteres his domain login/password (for login to JBoss console) JBoss EAP uses special account "jaas-jboss-user" for authentication and LDAP groups loading. So LDAP outbound-connection looks like below:
<outbound-connections>
<ldap name="ldapS_connection" url="ldaps://xxx.xxx.xxx:636 ldaps://xxx.xxx.xxx:636" search-dn="CN=jaas-jboss-user,CN=xxx,DC=xxx,DC=xxx,DC=xxx" search-credential="${VAULT::VAULT_BLOCK::LDAP_account_pwd::1}"/>
</outbound-connections>
You see that "jaas-jboss-user" is in use by JBoss EAP to connect to LDAP. At the same time people use their domain logins/passwords to connect to JBoss Adminstration Console. I need remove "jaas-jboss-user" from configuration completely and use domain users logins/passwords (which are entered by the users at login time to console) for authentication / authorization purposes. So I changed configuration:
<authentication>
<truststore path="/......jks" keystore-password="${VAULT::VAULT_BLOCK_TRUSTSTORE::Truststore_pwd::1}"/>
<ldap connection="ldapS_connection" base-dn="DC=core,DC=bta,DC=kz" recursive="true">
<!-- username-filter attribute="saMAccountName"/-->
<advanced-filter filter="(&(sAMAccountName={0}))"/>
</ldap>
</authentication>
So with this config JBoss must send entered user login to LDAP.
Main question is - how can I send user password to LDAP ? I tried like below but failed:
<outbound-connections>
<ldap name="ldapS_connection" url="ldaps://xxx.xxx.xxx:636 ldaps://xxx.xxx.xxx:636" search-dn="CN='sAMAccountName={0}',DC=xxx,DC=xxx,DC=xx" search-credential="(&(password={1}))"/>
</outbound-connections>
I have tried many expressions for search-credential but no result.
Could you please to advice me how to send entered user password to AD ?
Thank you,
T.K.
Comments