I do not think you can really pair the two modules together although I am not certain (but possible only if they have been designed to do that).

One option is to use the ldaploginmodule "as is" and write your own databaseserverloginmodule (you can restart from the JBoss one) to skip the authentication part and just populate the roles of the authenticated user.

Then, by chaining these two modules in the auth.conf (ldap first to authenticate, then new database module second to populate the roles) you should get what you want.

Check the sticky "README FIRST" of this forum to get a URL to the JBoss JAAS HowTo. It provides everything you need to write your custom database module.

Thomas

It might, but I am not familiar enough with the password-stack mechanism to be 100% sure.

Thomas

Yes you can achieve this by using the 'password-stacking' option.

This is the configuration I have used to use the LDAP security module for user authentication and the UserRolesLoginModule for role identification.

The UserRolesLoginModule should be replaced with the database login module.

Ignore the class name of the LDAP login module, I have been looking at an enhancement so have a clone of it in my own package for the moment.

<application-policy name = "DarranLSecurity">
 <authentication>
 <login-module code = "com.darranl.security.spi.LdapLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:58488</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=People</module-option>
 </login-module>

 <login-module code = "com.darranl.security.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 </authentication>
 </application-policy>