11 Replies Latest reply on Feb 2, 2005 9:11 AM by gmeroz

    problem connecting to active directory

      Hi,
      i'm trying to use LDAP on active directory from JBoss3.2.6.

      can anyone send me a working login-config.xml entry.

      i'm using ActiveDirectory on Win 2000 with the following schema:

      myDomain (domain)
      |
      |-People (organization unit)
      |........|
      |........|-user1 (User)
      |
      |-Roles
      |.......|
      |.......|-RegularUsers (Group)
      |.................|-user1 (member)
      |.................|-tester (member)
      |
      |-Users
      |........|
      |........|-tester (User)

      i could not succedd connecting with or with roles....

      please help
      Gil

        • 1. Re: problem connecting to active directory
          tom-the-bomb

          that one should work:

          <policy>
           <application-policy name="myapp">
           <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
           <module-option name="debug">true</module-option>
           <module-option name="java.naming.factory.inital">com.sun.jndi.ldap.LdapCtxFactor</module-option>
           <module-option name="java.naming.provider.url">ldap://dc.mydomain.com:389/</module-option>
           <module-option name="java.naming.security.authentication">simple</module-option>
           <module-option name="matchOnUserDN">false</module-option>
           <module-option name="principalDNSuffix">@mydomain.com</module-option>
           <module-option name="uidAttributeID">sAMAccountName</module-option>
           <module-option name="roleAttributeID">memberOf</module-option>
           <module-option name="roleAttributeIsDN">true</module-option>
           <module-option name="roleNameAttributeID">name</module-option>
           <module-option name="rolesCtxDN">ou=Roles,dc=mydomain,dc=com</module-option>
           </login-module>
           </authentication>
           </application-policy>
          </policy>
          




          - "myapp" should be your applications security domain
          - dc.mydomain.com is the name or ip address of your domain controller
          - ou=Roles,dc=mydomain,dc=com is the OU of your Roles


          • 2. Re: problem connecting to active directory

            thanks,
            i tried this configuration and i get error-403 when i try to login.

            • 3. Re: problem connecting to active directory
              tom-the-bomb

              what did you put in jboss-web.xml and web.xml?

              • 4. Re: problem connecting to active directory

                i didn't define any security roles in web.xml & jboss.xml...

                my login-config entry is:
                <module-option name="java.naming.provider.url">ldap://pdcsrv01.bevents.local:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="matchOnUserDN">false</module-option>
                <module-option name="principalDNSuffix">@bevents.local</module-option>
                <module-option name="uidAttributeID">sAMAccountName</module-option>
                <module-option name="roleAttributeID">memberOf</module-option>
                <module-option name="roleAttributeIsDN">true</module-option>
                <module-option name="roleNameAttributeID">name</module-option>
                <module-option name="rolesCtxDN">ou=Users,dc=bevents,dc=local</module-option>


                i also tried to login with administrator and failed.

                • 5. Re: problem connecting to active directory
                  tom-the-bomb

                   

                  "gmeroz" wrote:
                  i didn't define any security roles in web.xml & jboss.xml...


                  that's your problem. you need definitions in jboss-web.xml and web.xml.
                  without them authentication cannot succeed.

                  • 6. Re: problem connecting to active directory

                    thank you, this was the problem.

                    i defined roles and i manage to connect to the LDAP, but only as long as the users and the roles (groups) are in the same ou (with the same login-config above).

                    if i change it to
                    <module-option name="rolesCtxDN">ou=Roles,dc=bevents,dc=local</module-option>

                    it's not working. i didn't find any documentation on how to define it to use roles.

                    i want to have 2 organization units: Users & Roles.



                    • 7. Re: problem connecting to active directory
                      tom-the-bomb

                      then try this:

                      <module-option name="rolesCtxDN">ou=Users,dc=bevents,dc=local</module-option>


                      as you can read here: http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html#d0e16742 the rolesCtxDN needs to be the OU where to find the users. at the moment there is no way to use more than one OU for users (in your case Users and People). so if you need to look users up in both OUs you have to modify the LdapLoginModule.java.

                      • 8. Re: problem connecting to active directory

                        If i have users only defined in the People ou (i'm ignoring the Users ou for now) and roles are defined in the Roles ou:

                        i'll define the "rolesCtxDN" as the ou for users ('People'). But how do i define that the ou for the roles is 'Roles'?

                        • 9. Re: problem connecting to active directory
                          tom-the-bomb

                          you don't.
                          the login module tries to find the user object within the OU specified by rolesCtxDN. if it finds one it will enumerate all user properties with the name of "memberOf". so there is no need to specify the roles-OU.

                          • 10. Re: problem connecting to active directory

                            great! it worked.
                            thanks for the help.

                            • 11. Re: problem connecting to active directory

                              great! it worked.
                              thanks a lot.