-
1. Re: problem connecting to active directory
tom-the-bomb Feb 1, 2005 3:08 AM (in response to gmeroz)that one should work:
<policy> <application-policy name="myapp"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="debug">true</module-option> <module-option name="java.naming.factory.inital">com.sun.jndi.ldap.LdapCtxFactor</module-option> <module-option name="java.naming.provider.url">ldap://dc.mydomain.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="matchOnUserDN">false</module-option> <module-option name="principalDNSuffix">@mydomain.com</module-option> <module-option name="uidAttributeID">sAMAccountName</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=mydomain,dc=com</module-option> </login-module> </authentication> </application-policy> </policy>
- "myapp" should be your applications security domain
- dc.mydomain.com is the name or ip address of your domain controller
- ou=Roles,dc=mydomain,dc=com is the OU of your Roles -
2. Re: problem connecting to active directory
gmeroz Feb 1, 2005 4:23 AM (in response to gmeroz)thanks,
i tried this configuration and i get error-403 when i try to login. -
3. Re: problem connecting to active directory
tom-the-bomb Feb 1, 2005 4:43 AM (in response to gmeroz)what did you put in jboss-web.xml and web.xml?
-
4. Re: problem connecting to active directory
gmeroz Feb 1, 2005 4:58 AM (in response to gmeroz)i didn't define any security roles in web.xml & jboss.xml...
my login-config entry is:
<module-option name="java.naming.provider.url">ldap://pdcsrv01.bevents.local:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="principalDNSuffix">@bevents.local</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="rolesCtxDN">ou=Users,dc=bevents,dc=local</module-option>
i also tried to login with administrator and failed. -
5. Re: problem connecting to active directory
tom-the-bomb Feb 1, 2005 8:44 AM (in response to gmeroz)"gmeroz" wrote:
i didn't define any security roles in web.xml & jboss.xml...
that's your problem. you need definitions in jboss-web.xml and web.xml.
without them authentication cannot succeed. -
6. Re: problem connecting to active directory
gmeroz Feb 1, 2005 11:59 AM (in response to gmeroz)thank you, this was the problem.
i defined roles and i manage to connect to the LDAP, but only as long as the users and the roles (groups) are in the same ou (with the same login-config above).
if i change it to
<module-option name="rolesCtxDN">ou=Roles,dc=bevents,dc=local</module-option>
it's not working. i didn't find any documentation on how to define it to use roles.
i want to have 2 organization units: Users & Roles. -
7. Re: problem connecting to active directory
tom-the-bomb Feb 2, 2005 3:00 AM (in response to gmeroz)then try this:
<module-option name="rolesCtxDN">ou=Users,dc=bevents,dc=local</module-option>
as you can read here: http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html#d0e16742 the rolesCtxDN needs to be the OU where to find the users. at the moment there is no way to use more than one OU for users (in your case Users and People). so if you need to look users up in both OUs you have to modify the LdapLoginModule.java. -
8. Re: problem connecting to active directory
gmeroz Feb 2, 2005 4:41 AM (in response to gmeroz)If i have users only defined in the People ou (i'm ignoring the Users ou for now) and roles are defined in the Roles ou:
i'll define the "rolesCtxDN" as the ou for users ('People'). But how do i define that the ou for the roles is 'Roles'? -
9. Re: problem connecting to active directory
tom-the-bomb Feb 2, 2005 9:02 AM (in response to gmeroz)you don't.
the login module tries to find the user object within the OU specified by rolesCtxDN. if it finds one it will enumerate all user properties with the name of "memberOf". so there is no need to specify the roles-OU. -
10. Re: problem connecting to active directory
gmeroz Feb 2, 2005 9:09 AM (in response to gmeroz)great! it worked.
thanks for the help. -
11. Re: problem connecting to active directory
gmeroz Feb 2, 2005 9:11 AM (in response to gmeroz)great! it worked.
thanks a lot.