4 Replies Latest reply on Dec 11, 2006 5:17 AM by zwitsch

HowTo Link LDAP-Group with Roles?

zwitsch Dec 7, 2006 12:50 PM

Hi,

I spend nearly the whole day, reading tutorials, forums and books... I finally got my authentication working but am stuck with the authorization.

I can login, but am getting - reasonably - a 403 error.

I'm originally coming from WebSphere where the EAR links the LDAP-Groups with the JAAS roles with a ibm-application-bnd.xmi.
But how can I make it on Jboss???

I set up login-config.xml, application.xml (ear), jboss-web.xml and web.xml to make the authentication happen. Any other file to edit/add?

Thanks in advantage for you help!
Zwitsch

application.xml

 <display-name>
 KaskoEAR</display-name>
 <module>
 <web>
 <web-uri>Kasko.war</web-uri>
 <context-root>kasko</context-root>
 </web>
 </module>
 <security-role id="user">
 <description>User</description>
 <role-name>user</role-name>
 </security-role>
 <security-role id="poweruser">
 <description>Poweruser</description>
 <role-name>poweruser</role-name>
 </security-role>
 <security-role id="admin">
 <description>Admin User</description>
 <role-name>admin</role-name>
 </security-role>
</application>

web.xml (extract)

!-- Security Config -->

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Kasko Login</realm-name>
 </login-config>

 <!-- Security Contraints -->

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Admin</web-resource-name>
 <url-pattern>/Start</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>admin</role-name>
 </auth-constraint>
 </security-constraint>

 <!-- Security Roles -->

 <security-role>
 <description>Administrator</description>
 <role-name>admin</role-name>
 </security-role>

jboss-web.xml

<jboss-web>

 <context-root>/kasko</context-root>

 <security-domain>java:/jaas/testdomain</security-domain>

</jboss-web>

1. Re: HowTo Link LDAP-Group with Roles?

jaikiran Dec 8, 2006 3:44 AM (in response to zwitsch)
<security-domain>java:/jaas/testdomain</security-domain>

Did you make entries in the login-config.xml for congfiguring your 'testdomain'. Also see if this wiki page helps:

http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule
Actions
2. Re: HowTo Link LDAP-Group with Roles?

zwitsch Dec 8, 2006 4:54 AM (in response to zwitsch)

Thanks for your replie! Now I got the authorization working, by modifying the login-conf.xml domain params.

But I am only getting the role names and not the DNs. That's essential, because the LDAP dir is quite hughe and most of the groups are containing user, poweruser and admin by default.
But if it only resolves the role names it means, that a user just have to be in any group called user - no matter if its cn=user,ou=app1 or cn=user,ou=app2.

Any chance to make this work?

Thanks
Zwitsch
Actions
3. Re: HowTo Link LDAP-Group with Roles?

jaikiran Dec 8, 2006 5:23 AM (in response to zwitsch)

I am not good at this, but the link that i mentioned in my earlier posts mentions that you can specify additional modules properties which includes the rolesCtxDN (i guess, that's what you are looking for). Here's an extract from the same:

rolesCtxDN : The fixed distinguished name to the context to search for user roles. Consider that this is not the Distinguished Name of where the actual roles are; rather, this is the DN of where the objects containing the user roles are (e.g. for active directory, this is the DN where the user account is)
Actions
4. Re: HowTo Link LDAP-Group with Roles?

zwitsch Dec 11, 2006 5:17 AM (in response to zwitsch)

Hi,
Thanks for your help. I wrote my own LoginModule which extends the LdapExtLoginModule of Jboss to manage to correctly get the full DN of the group.

Thanks
Zwitsch
Actions

Go to original post