Authentication against Active Directory using LdapExtLoginMo
paoloyx Oct 20, 2008 6:02 AMHello to everybody,
it's my first post in this forum, hope that you can help me...by the way, guys, you are doing a great work, thank you. :)
Here's my problem: i'm trying to authenticate against an Active Directory using the LdapExtLoginModule.
For example suppose that i've the following situation:
cn=MyUser,cn=Users,dc=MyDomain,dc=it memberOf: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it ... CN=FirstGroup,CN=Users,dc=MyDomain,dc=it member: cn=MyUser,cn=Users,dc=MyDomain,dc=it memberOf: CN=SecondGroup,CN=Users,dc=MyDomain,dc=it ... CN=SecondGroup,CN=Users,dc=MyDomain,dc=it member: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
Here's my jboss login-xml configuration (pasted with the appropriate modifications directly from the web page http://www.jboss.org/community/docs/DOC-11251)...
<application-policy name="ActiveDirectory"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.provider.url"> ldap://MyHost:389/ </module-option> <module-option name="bindDN">cn=AnAuthUser,cn=Users,dc=MyDomain,dc=it</module-option> <module-option name="bindCredential">ThePassword</module-option> <module-option name="baseCtxDN"> cn=MyDomain,dc=MyDomain,dc=it </module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN"> cn=MyDomain,dc=MyDomain,dc=it </module-option> <module-option name="roleFilter">(sAMAccountName={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="roleRecursion">1</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module> </authentication> </application-policy>
Here's the question...for example, i configured the jmx console to be accessed only by users belonging to the group "SecondGroup", as seen before.
The jboss-web.xml file in the jmx-console.war/WEB-INF directory is:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/jmx-console</security-domain> --> <security-domain>java:/jaas/ActiveDirectory</security-domain> </jboss-web>
and here is the web.xml file, in the same directory
<?xml version="1.0"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>SecondGroup</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>SecondGroup</role-name> </security-role> </web-app>
The user "MyUser" belongs to the group "FirstGroup", that in its turn belongs to the group "SecondGroup"....so i expected that it was possible to authenticate using that user, following the "memberOf chain":
MyUser ---(memberOf)---> FirstGroup ---(memberOf)---> SecondGroup
I was not able, however, to write a configuration that could accomplish this task...my question is if it is possible to do this thing, i'd be very glad if you could help me.
Best Regards,
Paolo