12 Replies Latest reply on Oct 16, 2003 9:52 AM by gosh

    Authenticating with Active Directory

    klewis

      Hi, folks.

      I am trying to authenticate users against our Active Directory server using the LdapLoginModule. I have security working with UsersRolesLoginModule, but am having trouble starting with LDAP/AD, and some references I've seen suggest it may not even work.

      Anyone have this setup and willing to share their auth.conf?

      Otherwise, any pointers? Searching this site, Microsoft.com and the whole 'net has turned up very little, though I'm trying to put together pieces.

      Thanks much for any help.

      --Kevin

        • 1. Re: Authenticating with Active Directory
          klewis

          Okay, I've had some success with this. I can authenticate a user, but I'm having trouble doing roles. I've worked around it (to a very limited extent), by making my required role equal to my cn (obviously not a workable solution). Here's my auth.conf:

          ad {
          org.jboss.security.plugins.samples.LdapLoginModule required
          java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
          java.naming.provider.url="ldap://xxxxx/"
          java.naming.security.authentication="simple"
          java.naming.security.principal="xxxxx"
          java.naming.security.credintails="xxxxx"
          principalDNPrefix="cn="
          principalDNSuffix=",ou=My Unit,dc=mydomain,dc=com"
          rolesCtxDN="ou=My Unit,dc=mydomain,dc=com"
          roleAttributeID="cn"
          uidAttributeID="cn"
          ;
          };

          I've tried changing roleAttributeID to something reasonable (with an analogous change to rolesCtxDN), but no dice.

          So, any help at this point would be appreciated.

          --Kevin

          • 2. This Works
            klewis

            Okay, I got it pretty much to work (if anyone is interested ... it sure doesn't seem like it ;-)

            ad {
            org.jboss.security.plugins.samples.LdapLoginModule required
            java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
            java.naming.provider.url="ldap://xxxx/"
            java.naming.security.authentication="simple"
            java.naming.security.principal="xxxx"
            java.naming.security.credintails="xxxx"
            principalDNPrefix="cn="
            principalDNSuffix=",ou=My Unit,dc=mydomain,dc=com"
            uidAttributeID="cn"
            rolesCtxDN="ou=My Unit,dc=mydomain,dc=com"
            roleAttributeID="objectClass"
            ;
            };

            One of the values of objectClass for us is "user", which is enough for now. I'll use other roles as necessary.

            The only problem now is that users must login with full names, instead of login names, which I would like to fix.

            Anyway, hope this helps someone.

            --Kevin

            • 3. Re: This Works
              gosh

              I too had searched for a way to authenticate using LDAP to
              Active Directory. In JBoss 3, there's the LdapLoginModule, that
              might work, except most users don't know their distinguished name
              and in my case, the unserviceable sometimes had nothing to
              do with their account name.

              So I've produced a modified LDAP login module, tailored for AD. It
              uses a 'browse user' to find the account name given and then
              verifies the password. Roles are a property of the user object.
              I use NT groups for roles, since I couldn't change the schema.

              You can find the code here:
              http://www.boxerboxes.ca/JBoss_Ldap.html

              Works for me.

              All the best,
              Paul

              • 4. Re: Authenticating with Active Directory
                sartman

                I am also using Active Directory to authenticate and authorize users in JBoss 3.2.1. I have successfully used a slightly modified version of the org.jboss.security.auth.spi.LdapLoginModule class to authenticate a user with their userid and password. However, I would like to authenticate with a credential object instead of the user's password. Has anyone tried this?

                According to the javadoc for the LdapLoginModule class, the useObjectCredential property should be set to true and "the credential should be obtained as an opaque Object using the org.jboss.security.plugins.ObjectCallback type of Callback." I have two questions, where can I find documentation on the callback class (couldn't find it in the JBoss javadocs) and what type of object should I pass from mv client program?

                Thanks for any help,
                Scott

                • 5. Re: Authenticating with Active Directory
                  azhang0801

                  Has anyone successed in confiuring Active Directory v3 with Jboss 3.2.1? If yes, could you be kind enough to provide the details? Thanks a lot.

                  • 6. Re: Authenticating with Active Directory

                    > Callback." I have two questions, where can I find
                    > documentation on the callback class (couldn't find it
                    > in the JBoss javadocs)

                    /*
                     * JBoss, the OpenSource WebOS
                     *
                     * Distributable under LGPL license.
                     * See terms of license at gnu.org.
                     */
                    package org.jboss.security.auth.callback;
                    
                    import javax.security.auth.callback.Callback;
                    
                    /** An implementation of Callback that simply obtains an Object to be used
                    as the authentication credential. Interpretation of the Object is up to
                    the LoginModules that validate the credential.
                    
                    @author Scott.Stark@jboss.org
                    @version $Revision: 1.2.4.1 $
                    */
                    public class ObjectCallback implements Callback
                    {
                     private transient String prompt;
                     private transient Object credential;
                    
                     /** Initialize the SecurityAssociationCallback
                     */
                     public ObjectCallback(String prompt)
                     {
                     this.prompt = prompt;
                     }
                    
                     public String getPrompt()
                     {
                     return prompt;
                     }
                     public Object getCredential()
                     {
                     return credential;
                     }
                     public void setCredential(Object credential)
                     {
                     this.credential = credential;
                     }
                     public void clearCredential()
                     {
                     this.credential = null;
                     }
                    }
                    
                    


                    > and what type of object should
                    >I pass from mv client program?

                    Depends what your login module is expecting to find I guess. X.509 maybe? something else?

                    However I'm looking at the LDAPLoginModule code in 3.2.2 and the

                    private static final String USE_OBJECT_CREDENTIAL_OPT = "useObjectCredential";

                    seems to be never used... ?

                    -- Juha


                    • 7. Re: This Works
                      azhang0801

                      Hi, Juha,
                      Could you provide a sample configuration in login-config.xml in order to use Active Directory to do login authentication? I have tried two days and has no luck to get it work. Thanks.

                      Yee

                      • 8. Re: This Works
                        radl01

                        Hi all,

                        here is a small example of LDAP config for AD:

                        <application-policy name = "AD-ldap">

                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                        flag = "required">
                        <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                        <module-option name = "java.naming.provider.url">ldap://ip:389</module-option>
                        <module-option name = "java.naming.security.authentication">simple</module-option>
                        <module-option name = "principalDNPrefix">cn=</module-option>
                        <module-option name = "principalDNSuffix">,cn=Users, dc=company, dc=cz</module-option>
                        <module-option name = "uidAttributeID">cn</module-option>
                        <module-option name = "roleAttributeID">memberOf</module-option>
                        <module-option name = "roleNameAttributeID">cn</module-option>
                        <module-option name = "roleAttributeIsDN">true</module-option>
                        <module-option name = "matchOnUserDN">false</module-option>
                        <module-option name = "rolesCtxDN">cn=Users, dc=company, dc=cz</module-option>
                        <module-option name = "unauthenticatedIdentity">nobody</module-option>
                        </login-module>

                        </application-policy>

                        Regards
                        Jan

                        • 9. Re: This Works
                          azhang0801

                          Thanks a lot.
                          But where shold the connectionName and connectionPassword go? Our ADS needs this to create connection before performing any authentication.

                          • 10. Re: This Works

                            java.naming.security.principal and java.naming.security.credentials ?

                            -- Juha

                            • 11. Re: This Works
                              azhang0801

                              I did add those two parameters but they seem to never work.
                              <module-option name="java.naming.security.principal">CN=ADMIN,OU=Service,OU=MyCity,dc=myCompany,dc=com</module-option>
                              <module-option name="java.naming.security.credintails">myPassword</module-option>

                              In the sample of previous threads, there was no such module-option listed, I am wondering how it was able to connect to ADS because ADS disables anonymous login by default.

                              Thanks.

                              • 12. Re: This Works
                                gosh

                                What you need is my version of the Ldap login module. This
                                allows you to setup a Browse user and get around the problem
                                of AD not letting you browse annonymously.

                                Its mentioned above, but you can get it a http://boxerboxes.ca.

                                I have a new version I'll be putting up in the next few days with
                                the ability to use the 'cn' of the role instead of the distinguished name. I will also be posting a compiled jar file, as people have
                                requested that.

                                Hope that helps
                                Paul