0 Replies Latest reply on Oct 14, 2011 3:26 PM by jadedpuppy

    LdapExtLoginModule question

    jadedpuppy

      Hello.  I am completely new to JBOSS so please forgive what is likely a very simple question.

       

      We have an application that is using the LdapExtLoginModule to access our Active Directory envrionment.  The application uses a LDAP proxy account to log into the AD envrionment and then searches the AD for a certain user.  The AD role membership of this user is stored in an array and one of these roles must match a defined role within the application.  If it matches one of the defined roles, the user is given access to that application.

       

      Our AD schema is not the standard AD schema.  I will give a quick example of our situation here.  User1 is a memeber of a group called App-Users and this App-Users group is a member of another group called AppAdmins.  The DN of User1 is CN=User1,OU=Consultants,OU=Externals,OU=People,DC=<our domain>,DC=com.  The DN of the AppAdmins group is CN=AppAdmins,OU=Application Access Groups,OU=Appl Mgmt,OU=Administration,DC=<our domain>,DC=com. 

       

      I have looked at the provided AD example code for LdapExtLoginModule and modified it to work in our environment.  I was hoping somebody could let me know if it looks ok.  Here is the code:

       

      <application-policy name="raider">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
        <module-option name="java.naming.provider.url">ldap://<our LDAP server>:389</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindDN">cn="<LDAP User>,ou=LDAP Proxy Accounts,ou=AD Mgmt,ou=Administration,dc=<our domain>,dc=com</module-option>
               <module-option name="bindCredential"><password></module-option>
                 <module-option name="baseCtxDN">ou=People,DC=<our domain>,DC=com</module-option>
                 <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                 <module-option name="rolesCtxDN">ou=People,DC=<our domain>,DC=org</module-option>
                 <module-option name="roleFilter">(member={1})</module-option>
                 <module-option name="roleAttributeID">cn</module-option>
                 <module-option name="roleAttributeIsDN">false</module-option>

                 <module-option name="roleRecursion">2</module-option>
                 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>

                 <module-option name="allowEmptyPasswords">false</module-option>
               </login-module>
      </authentication>
      </application-policy>

       

       

      Thank you very much for any help, it would be greatly appreciated.