4 Replies Latest reply on Sep 1, 2003 10:31 PM by micho2001

    LDAP and Windows NT Active Directory How To

    jlsantiago
    jlsantiago May 13, 2003 3:11 PM

      I found a lot of problems to make work the security with Windows 2000 Active Directory. As I see a lot of questions about this subject a post what I did.

      To include security in the jmx-console:

      File: jboss-web.xml in the jmx-console.war => Uncomment to include the security domain.

      File: web.xml in the jmx-console.war => Uncomment to include the security constraints. The predefined role is JBossAdmin in this constraints, I let this role.

      Create a new Windows 2000 Group with the name JBossAdmin

      Include the users that you want to have access to this servlet to the JBossAdmin group with the Windows 2000 User manager.

      Edit the file login-config.xml in the conf directory of your configuration and include this application policy


      <application-policy name = "jmx-console">

      <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://MyMachine.MyDomain.com/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,cn=Users,dc=MyDomain,dc=COM</module-option>
      <module-option name="rolesCtxDN">cn=Users,dc=MyDomain,dc=COM</module-option>
      <module-option name="matchOnUserDN">false</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="uidAttributeID">sAMAccountName</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleNameAttributeID">name</module-option>
      </login-module>

      </application-policy>


      Change the strings MyMachine, MyDomain, and COM to your needs.


      I must say that it works for me with JBoss 3.2.1 I tried with version 3.2.0 for several days without success



      • 4542 Views
      • Tags:
        • 1. Re: LDAP and Windows NT Active Directory How To
          richaud May 16, 2003 3:36 AM (in response to jlsantiago)

          I am running into the same problems. I would really appreciate if you could share your experience on interrogating Active Directory to authenticate users on an Intranet. I must admit I have no experience at all on the subject, so if you can write an explanation for the dummies, that would be so great!

          Thanks for your reply.

            • Actions
          • 2. Re: LDAP and Windows NT Active Directory How To
            micho2001
            micho2001 May 17, 2003 8:06 PM (in response to jlsantiago)

            Hi!!! Nice of you to post your login-config.xml but I havent been able to get it to work...

            I add a parameter to the login-config.xml saying debug=true. When I try to authenticate I keep getting LDAP error 49 which I looked up and means invalid credentials.... (So I guess it found the server and all).

            Did you get any of this? Any ideas?

            P.D: web.xml imposes a restriction to certain groups, which the user I try to authenticate belongs to.

            Thanks anyways!!

              • Actions
            • 3. Re: LDAP and Windows NT Active Directory How To
              gosh
              gosh May 19, 2003 1:48 PM (in response to jlsantiago)

              A large part of the success or failure of using LDAP and AD
              with the standard JBoss LDAP module depends on your
              users being able to specify a username that allows you to
              construct a principal name by doing
              supplied_name.

              For example, if your sAMAccountName's and userprincipal names
              are related always by @kerberos.realm, then you can set
              =null
              =@kerberos.realm. Giving the userprincipal name
              supplied_name@kerberos.realm. Unfortunately, sometimes this
              relation does not hold and hence will not work. In my case I
              have users who's saMAccountName is bobr and their
              userprincipal name is Rubble\,Bobby@kerberos.realm.

              You can also try to construct the distinguished name using
              the same procedure, which jlsantiago explains above. This
              only works if all your users will be at the same level in the
              AD tree. i.e. All your users are found at:
              cn=UserName,cn=dept,dc=MyDomain,dc=COM
              In large installations this is almost never true, users are more
              likely to be at various levels:
              cn=bobr,cn=section1,cn=dept1,dc=MyDomain,dc=COM
              cn=jillb,cn=section3,cn=dept2,dc=MyDomain,dc=COM

              This scheme can't be accomodated with prefixes and postfixes.

              I have a modifed version of the LDAP module that looks up
              saMAccountNames and finds the distinguished name of the user
              and then authenticates and authorizes the user.

              The source can be found at boxerboxes.ca.


              All the best,
              Paul

                • Actions
              • 4. Re: LDAP and Windows NT Active Directory How To
                micho2001
                micho2001 Sep 1, 2003 10:31 PM (in response to jlsantiago)

                Agh.. I tried the module found at boxerboxes.ca and although I nearly there I still can get it to work...

                the thing is: apparently it can't find the user I looking for!!! Anyone got a example login-config.xml for this module? Or another way to get Jboss and ADS to work altogether?

                  • Actions