-
1. Re: LDAP LoginModule & eDirectory
scottdawson Jan 30, 2006 9:28 AM (in response to eron123)You may have a problem with roles rather than authentication. We are doing something similar against OpenLDAP. In jboss-portal.sar/conf/login-config.xml, we have this:
<application-policy name="portal"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="java.naming.provider.url">ldap://yourhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=people,dc=company</module-option> </login-module> <login-module code="org.jboss.portal.core.security.jaas.ModelLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="password-stacking">useFirstPass</module-option> </login-module> </authentication> </application-policy>
So, the authentication is via LDAP and the roles come from the Portal database, meaning that you have to define your users in both places. This may not be exactly what you want, but it may be worth trying just so you can verify that the LDAP authentication is working.
Regards,
Scott Dawson
Unisys -
2. Re: LDAP LoginModule & eDirectory
rincewind23 Jan 31, 2006 5:22 PM (in response to eron123)Is it possible to get the roles from an external source (in these cases, an LDAP directory) too, using jaas? Or are the roles intrinsic to the portal engine? I don't mind looking through the code / jaas docs to find out how to do it, but if someone can say flat-out "no" it would save me a lot of fruitless investigation. I'd like to have both the authentication and the authorisation coming from LDAP.
Cheers,
KEv. -
3. Re: LDAP LoginModule & eDirectory
knovoselov Jan 31, 2006 7:06 PM (in response to eron123)It is possible. I wrote custom implementations for org.jboss.portal.core.modules.UserModule and org.jboss.portal.core.modules.RoleModule to make it get the info from LDAP.
-- kn -
4. Re: LDAP LoginModule & eDirectory
rincewind23 Feb 1, 2006 7:04 PM (in response to eron123)Cool. Any chance of sharing?
Cheers,
KEv. -
5. Re: LDAP LoginModule & eDirectory
knovoselov Feb 1, 2006 7:41 PM (in response to eron123)Don't think it would help anybody. Implementation is highly specific to our environment. But you may check http://jira.jboss.com/jira/browse/JBPORTAL-464, which has something similar.
--kn -
6. Re: LDAP LoginModule & eDirectory
eron123 Feb 2, 2006 12:19 AM (in response to eron123)Its seems that the jboss portal ldap authentication and athorization is not quite dialed in yet. Is better out of the box ldap support on the road map? Any idea how long from now?
Thanks.