-
1. Re: ldap for authentication database for roles
Yes the two login modules can be chained together so that the LDAP login module is used to authenticate the user then the database login module is used to identify the roles.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=62597 -
2. Re: ldap for authentication database for roles
Thanks for the tip, I got it to work!
For the benefit of others this is what my login-config.xml looks like:<application-policy name="ldap_security"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://yourdomain.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="allowEmptyPasswords">false</module-option> <module-option name="principalDNPrefix">cn=</module-option> <module-option name="principalDNSuffix">,ou=it,ou=administration,o=suu</module-option> <module-option name="matchOnUserDN">true</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/DefaultDS</module-option> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="rolesQuery"> select r.role,'Roles' from login_role r join person p on p.fk_login_role=r.id where p.username=? </module-option> </login-module> </authentication> </application-policy>