1 Reply Latest reply on Dec 4, 2009 5:17 AM by johan2001

Problem combining two loginmodules for SSO with Active Direc

johan2001 Dec 1, 2009 6:49 AM

For SSO in Windows Server 2008 we would like to use Kerberos so the user does not have to type in his/her username/password again for our application. Further we need the users roles/groups from Active Directory to restrict access to our application.

The solution I tried was to combine Krb5LoginModule with LdapExtLoginModule, but they do not work together in my case. If I use the Krb5LoginModule I can use SSO, if I use the LdapExtLoginModule I can retrieve the roles after entering my username/password again. But combining them for SSO and roles does not work.

If my research is correct than the problem is that the Krb5LoginModule returns a user of the form "username@domain" while the LdapExtLoginModule expects just "username". But I could not find a solution for that. Is there a solution for this problem, or is there perhaps another LoginModule that could be used?

The code we are using is the following:

<application-policy name="kerberos">
 <authentication>

 <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" >
 <module-option name="debug">true</module-option>
 <module-option name="storeKey">true</module-option>
 <module-option name="storePass">true</module-option>
 </login-module>


 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="debug">true</module-option>
 <module-option name="java.naming.provider.url">ldap://$ip$:389</module-option>
 <module-option name="bindDN">cn=$Username$, cn=Users, dc=$domain$, dc=$domainextension$</module-option>
 <module-option name="bindCredential">$password$</module-option>
 <module-option name="baseCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
 <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 <module-option name="rolesCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
 <module-option name="roleFilter">(sAMAccountName={0})</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 <module-option name="allowEmptyPasswords">false</module-option>
 </login-module>

 </authentication>
 </application-policy>

1. Re: Problem combining two loginmodules for SSO with Active D

johan2001 Dec 4, 2009 5:17 AM (in response to johan2001)

Anyone who has an idea how I can login with Kerberos and retrieve the roles from Active Directory? I did some more research but could not find a solution for my problem.
Actions