5 Replies Latest reply: Nov 9, 2012 10:04 AM by Farid Adhami RSS

    Can LdapExtLoginModule be used just for authentication and not authorization?

    Farid Adhami Newbie

      Hi,

       

      I am not sure this forum is the best place to ask JAAS related questions. I am trying to use LdapExtLoginModule for authentication and another login module for authorization. I was able to configure LdapExtLoginModule in JBoss, but it tries to use LDAP LM for authorization, too and it fails because I don't have the requested roles in my ldap account.

       

      The following is my login module configuration

       

                      <security-domain name="domain-name">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="requisite">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://LDAP Server URL"/>

                                  <module-option name="bindDN" value="admin user dn"/>

                                  <module-option name="bindCredential" value="admin user password"/>

                                  <module-option name="baseCtxDN" value="..."/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="rolesCtxDN" value="..."/>

                                  <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="roleAttributeID" value="memberOf"/>

                                  <module-option name="roleAttributeIsDN" value="true"/>

                                  <module-option name="roleNameAttributeID" value="CN"/>

                                  <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                                  <module-option name="allowEmptyPasswords" value="false"/>

                              </login-module>

                              <login-module code="the authorization login module" flag="required" >

                                              ...

                              </login-module>

                          </authentication>

                      </security-domain>

       

       

       

      So, is there a way to configure or customize LdapExtLoginModule to just do the authentication?

       

      Thanks

       

      Farid

        • 1. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
          Travis De Silva Newbie

          Hi Farid,

           

          Were you able to solve this issue? I have the exact same requirement.

           

          I tried adding two login moduules. the LdapLoginModule and the DatabaseServerLoginModule which has a query on the rolesQuery module-option to get the roles assigned to the user.

           

          The LdapLoginModule works fine but the DatabaseServerLoginModule does not seem to be getting the roles. In fact when I do the trace and look at the logs, I notice it is by default activating the principalsQuery as well which I did not set. So maybe it is failing at this point.

           

          Any ideas how we can do this? Will I need to write my own custom login module?

           

          Cheers

          Travis

          • 2. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
            Farid Adhami Newbie

            I had to add the password stacking option like below to make it working.

             

                                    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="requisite">

                                       <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                        <module-option name="java.naming.provider.url" value="ldap://LDAP Server URL"/>

                                        <module-option name="bindDN" value="admin user dn"/>

                                        <module-option name="bindCredential" value="admin user password"/>

                                        <module-option name="baseCtxDN" value="..."/>

                                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                        <module-option name="rolesCtxDN" value="..."/>

                                        <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                        <module-option name="roleAttributeID" value="memberOf"/>

                                        <module-option name="roleAttributeIsDN" value="true"/>

                                        <module-option name="roleNameAttributeID" value="CN"/>

                                        <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                                        <module-option name="allowEmptyPasswords" value="false"/>

                                        <module-option name="roleRecursion" value="0"/>

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                    <login-module code="the authorization login module" flag="required" >

                                                    ...

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

             

            With that LdapExtLoginModule will add the username and password to the shared state that will be used by the other login module to extract the related roles.

            • 5. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
              Farid Adhami Newbie

              You should be able to do the authentication using LdapExtLoginModule. the issue I faced was I could not use the other login module to extract the roles provided by LDapExtLoginModule. Could you provide more detail on the issue you are facing?