-
1. Re: LDAP and Windows NT Active Directory How To
richaud May 16, 2003 3:36 AM (in response to jlsantiago)I am running into the same problems. I would really appreciate if you could share your experience on interrogating Active Directory to authenticate users on an Intranet. I must admit I have no experience at all on the subject, so if you can write an explanation for the dummies, that would be so great!
Thanks for your reply. -
2. Re: LDAP and Windows NT Active Directory How To
micho2001 May 17, 2003 8:06 PM (in response to jlsantiago)Hi!!! Nice of you to post your login-config.xml but I havent been able to get it to work...
I add a parameter to the login-config.xml saying debug=true. When I try to authenticate I keep getting LDAP error 49 which I looked up and means invalid credentials.... (So I guess it found the server and all).
Did you get any of this? Any ideas?
P.D: web.xml imposes a restriction to certain groups, which the user I try to authenticate belongs to.
Thanks anyways!! -
3. Re: LDAP and Windows NT Active Directory How To
gosh May 19, 2003 1:48 PM (in response to jlsantiago)A large part of the success or failure of using LDAP and AD
with the standard JBoss LDAP module depends on your
users being able to specify a username that allows you to
construct a principal name by doing
supplied_name.
For example, if your sAMAccountName's and userprincipal names
are related always by @kerberos.realm, then you can set
=null
=@kerberos.realm. Giving the userprincipal name
supplied_name@kerberos.realm. Unfortunately, sometimes this
relation does not hold and hence will not work. In my case I
have users who's saMAccountName is bobr and their
userprincipal name is Rubble\,Bobby@kerberos.realm.
You can also try to construct the distinguished name using
the same procedure, which jlsantiago explains above. This
only works if all your users will be at the same level in the
AD tree. i.e. All your users are found at:
cn=UserName,cn=dept,dc=MyDomain,dc=COM
In large installations this is almost never true, users are more
likely to be at various levels:
cn=bobr,cn=section1,cn=dept1,dc=MyDomain,dc=COM
cn=jillb,cn=section3,cn=dept2,dc=MyDomain,dc=COM
This scheme can't be accomodated with prefixes and postfixes.
I have a modifed version of the LDAP module that looks up
saMAccountNames and finds the distinguished name of the user
and then authenticates and authorizes the user.
The source can be found at boxerboxes.ca.
All the best,
Paul -
4. Re: LDAP and Windows NT Active Directory How To
micho2001 Sep 1, 2003 10:31 PM (in response to jlsantiago)Agh.. I tried the module found at boxerboxes.ca and although I nearly there I still can get it to work...
the thing is: apparently it can't find the user I looking for!!! Anyone got a example login-config.xml for this module? Or another way to get Jboss and ADS to work altogether?