8 Replies Latest reply on Sep 11, 2012 10:25 AM by robbatt

    Mapping ldap groups to jboss roles? where?

    cwad0000
    cwad0000 Mar 29, 2006 7:35 AM

      hi, i am trying to use active directory together with jboss.

      I am getting authenticated via ldap fine, but it gives me a 403 since it says i do not have the correct role.

      I cannot figure out where the mapping from the ldap groups to the jboss roles should take place.

      In my web.xml i have got

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/myprotectedarea/*</url-pattern>
      <!-- If you list http methods, only those methods are protected -->
      </web-resource-collection>
      <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>MyRole</role-name>
      </auth-constraint>
      </security-constraint>

      <security-role>
      The Only Secure Role
      <role-name>MyRole</role-name>
      </security-role>


      How do I map that role-name to the group in ldap?
      I have the same name for the role as the group, but I assume I need to do a mapping somewhere for it, but where and how should I do that?

      • 10544 Views
      • Tags:
        • 1. Re: Mapping ldap groups to jboss roles? where?
          schuller007
          schuller007 Mar 29, 2006 12:56 PM (in response to cwad0000)

          How did you define your Active Directory connection?

            • Actions
          • 3. Re: Mapping ldap groups to jboss roles? where?
            cwad0000
            cwad0000 Mar 30, 2006 2:04 AM (in response to cwad0000)

            thanks for the replies,

            I have read those pages (and all other information I could find)...
            Am I wrong in assuming that I need to do a mapping of my group names in active directory to the role names defined in web.xml?

            this is my login-config.xml

            <application-policy name = "ldap">

            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://somedomain.com:389/</module-option>
            <module-option name="java.naming.security">simple</module-option>
            <module-option name="bindDN">username@domain.com</module-option>
            <module-option name="bindCredential">PASSWORD</module-option>
            <module-option name="baseCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="rolesCtxDN">OU=AllCorporateGroups,DC=DOMAIN,DC=COM</module-option>
            <module-option name="roleFilter">(member={0})</module-option>
            <module-option name="roleAttributeIsDN">cn</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
            <module-option name="roleRecursion">-1</module-option>
            </login-module>

            </application-policy>

              • Actions
            • 4. Re: Mapping ldap groups to jboss roles? where?
              cwad0000
              cwad0000 Mar 30, 2006 9:01 AM (in response to cwad0000)

              hm, had some errors in the above config please ignore it,as far as I can see the code below should be correct
              it still does not work though, same problem: I get authenticated but it says that I do not have the specified role.

              <application-policy name = "ldap">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://somedomain.com:389/</module-option>
 <module-option name="java.naming.security">simple</module-option>
 <module-option name="bindDN">username@domain.com</module-option>
 <module-option name="bindCredential">password</module-option>
 <module-option name="baseCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
 <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 <module-option name="rolesCtxDN">OU=AllCorporateGroups,DC=DOMAIN,DC=COM</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleRecursion">-1</module-option>
 </login-module>
 </authentication>
 </application-policy>


                • Actions
              • 5. Re: Mapping ldap groups to jboss roles? where?
                cwad0000
                cwad0000 Mar 31, 2006 4:50 AM (in response to cwad0000)

                works now, had to change the above config to

                ...
<module-option name="rolesCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
...


                  • Actions
                • 6. Re: Mapping ldap groups to jboss roles? where?
                  jaco.joubert
                  jaco.joubert Mar 31, 2006 3:56 PM (in response to cwad0000)

                  I'm glad you solved the roles problem in your configuration.

                  With this configuration, you are mapping your groups in LDAP directly to the security roles configured in your JBoss deployments. This means that you are effectively using the same group / role names.

                  Does anyone know if it's possible to map your LDAP (or whichever auth store you use) groups to different role names in JBoss.

                  Let's say I have a group called "Administrators" in my LDAP store, but I want to use a role named "app-admin" in my deployed applications. All users in the "Administrators" group should be mapped to "app-admin" for J2EE security purposes.

                  Is there a standard way of doing this mapping, or should I do it in a custom way with my own LoginModule?

                    • Actions
                  • 7. Re: Mapping ldap groups to jboss roles? where?
                    jaco.joubert
                    jaco.joubert Mar 31, 2006 6:07 PM (in response to cwad0000)

                    I think my role mapping question is basically answered by this thread: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=77709

                    Seems like I'll have to do this mapping myself, as the spec is not clear on this.

                      • Actions
                    • 8. Re: Mapping ldap groups to jboss roles? where?
                      robbatt
                      robbatt Sep 11, 2012 10:25 AM (in response to cwad0000)

                      d b's config works for me, thank you!

                        • Actions