Problem combining two loginmodules for SSO with Active Direc
johan2001 Dec 1, 2009 6:49 AMFor SSO in Windows Server 2008 we would like to use Kerberos so the user does not have to type in his/her username/password again for our application. Further we need the users roles/groups from Active Directory to restrict access to our application.
The solution I tried was to combine Krb5LoginModule with LdapExtLoginModule, but they do not work together in my case. If I use the Krb5LoginModule I can use SSO, if I use the LdapExtLoginModule I can retrieve the roles after entering my username/password again. But combining them for SSO and roles does not work.
If my research is correct than the problem is that the Krb5LoginModule returns a user of the form "username@domain" while the LdapExtLoginModule expects just "username". But I could not find a solution for that. Is there a solution for this problem, or is there perhaps another LoginModule that could be used?
The code we are using is the following:
<application-policy name="kerberos"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" > <module-option name="debug">true</module-option> <module-option name="storeKey">true</module-option> <module-option name="storePass">true</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="debug">true</module-option> <module-option name="java.naming.provider.url">ldap://$ip$:389</module-option> <module-option name="bindDN">cn=$Username$, cn=Users, dc=$domain$, dc=$domainextension$</module-option> <module-option name="bindCredential">$password$</module-option> <module-option name="baseCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option> <module-option name="roleFilter">(sAMAccountName={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>