-
1. Re: LdapLoginModule & search scope
lords_diakonos Mar 12, 2004 5:51 AM (in response to mozheyko_d)I am no expert in fact I am a newbie :-) but I have been able to authenticate against Active directory with the browseldapmodule. If you search the forums you can find info on it. You will have to download it and deploy it.
-
2. Re: LdapLoginModule & search scope
starksm64 Mar 14, 2004 10:17 AM (in response to mozheyko_d)To authenticate with a login username of user1, a principalDNPrefix='uid=' and a principalDNSuffix='ou=Group1,ou=People,dc=mycompany,dc=com' is required. Configurations based on users is not supported by the LdapLoginModule so your schema is not supported since users are not under a single context.
-
3. Re: LdapLoginModule & search scope
mozheyko_d Mar 15, 2004 1:40 AM (in response to mozheyko_d)Thanks for reply.
I did not think, that jboss-code such not flexible -
4. Re: LdapLoginModule & search scope
jsb Sep 19, 2005 6:44 PM (in response to mozheyko_d)This seems to come up fairly frequently when using Active Directory. Not sure why, maybe because admins are encouraged to sub-container users for group policy assignment?
I believe most people solve this by writing their own login module, which JBoss makes very easy. But considering that JBoss already provides an LDAP login module that does almost everything needed, it seems like it might be a good idea to make a small change to this provides module to support a search scope extending below the starting container.
For example, replace line 312 of the org.jboss.security.auth.spi.LdapLoginModule in JBoss AS 4.0.2 with:SearchControls ctls = new SearchControls(); ctls.setReturningAttributes(roleAttr); ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); String filter = "(" + uidAttrName +"=" + username + ")"; NamingEnumeration answer = ctx.search(rolesCtxDN, filter, ctls);
Then, the LdapLoginModule could be used out-of-box with Active Directory even when users are placed in containers under the Users (or People, etc.) container. -
5. Re: LdapLoginModule & search scope
starksm64 Sep 21, 2005 11:32 AM (in response to mozheyko_d)There already is another login module with more flexibility for binding. See:
http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule