3 Replies Latest reply on Jun 13, 2005 11:32 PM by jed204

LDapLoginModule and Active Directory

dtauber Jun 1, 2005 12:48 AM

I have an application that uses LdapLoginModule to authenticate against a LDAP server. I've successfully set it up to authenticate against openLDAP and Domino, but am having no luck configuring it to work with Active Directory.

I can bind to the Active Directory using an ldapsearch command like:

ldapsearch -H ldap://10.0.1.4:389 -W -x -D "dtauber@VASoftware.local" -b cn=Users,dc=VASoftware,dc=local

My login-config.xml file includes the following:

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://10.0.1.4:389</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=VASoftware,DC=local</module-option>
<module-option name="principalDNSuffix">@VASoftware.local</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
</login-module>

I've also tried variations on the above, including with and without the @VASoftware.local suffix on the DN and both sAMAccountName and userPrincipalName for the uidAttribute ID.

The Active Directory on in my test environment is pretty straight forward -- basically it is the way it was originally crated, with a few users added.

Thanks,

Dan

1. Re: LDapLoginModule and Active Directory

sandipan_s Jun 6, 2005 4:52 PM (in response to dtauber)

Hi,

I am facing the similar problem. Have you got any luck.

Thanks
Actions
2. Re: LDapLoginModule and Active Directory

jed204 Jun 13, 2005 11:13 PM (in response to dtauber)

I couldn't get this to work on JBoss 3.x.

I recently upgraded to 4.0.2 and changed the line above from:

<module-option name="roleAttributeIsDN">false</module-option>

To 'true' instead of false. This is because the 'memberOf' is a DN under the user DN.

Things are working for me. Hope this helps!

-Jed
Actions
3. Re: LDapLoginModule and Active Directory

jed204 Jun 13, 2005 11:32 PM (in response to dtauber)

I just tried this in JBoss 3.2.6, it works as well as in 4.0.2:

<application-policy name="ApplicationModuleName">

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.1.1:389</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=MyCompany,DC=com</module-option>
<module-option name="principalDNSuffix">@MyCompany.com</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
</login-module>

</application-policy>

For this I just login with my username (no domain name).

Good Luck!

-Jed
Actions

Go to original post