-
1. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
traviskds Sep 24, 2012 3:19 AM (in response to faridadhami)Hi Farid,
Were you able to solve this issue? I have the exact same requirement.
I tried adding two login moduules. the LdapLoginModule and the DatabaseServerLoginModule which has a query on the rolesQuery module-option to get the roles assigned to the user.
The LdapLoginModule works fine but the DatabaseServerLoginModule does not seem to be getting the roles. In fact when I do the trace and look at the logs, I notice it is by default activating the principalsQuery as well which I did not set. So maybe it is failing at this point.
Any ideas how we can do this? Will I need to write my own custom login module?
Cheers
Travis
-
2. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
faridadhami Sep 24, 2012 1:47 PM (in response to traviskds)I had to add the password stacking option like below to make it working.
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="requisite">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://LDAP Server URL"/>
<module-option name="bindDN" value="admin user dn"/>
<module-option name="bindCredential" value="admin user password"/>
<module-option name="baseCtxDN" value="..."/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="..."/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="CN"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="the authorization login module" flag="required" >
...
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
With that LdapExtLoginModule will add the username and password to the shared state that will be used by the other login module to extract the related roles.
-
3. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
traviskds Sep 25, 2012 6:31 AM (in response to faridadhami)Thanks Farid. Will give this a go.
-
4. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
traviskds Sep 25, 2012 8:56 PM (in response to traviskds)This did not seem to work. Anyway following this post I was able to do only authentication.
http://stackoverflow.com/questions/8519057/authentication-without-role-in-web-xml-in-jboss-as-7
-
5. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
faridadhami Nov 9, 2012 10:04 AM (in response to traviskds)You should be able to do the authentication using LdapExtLoginModule. the issue I faced was I could not use the other login module to extract the roles provided by LDapExtLoginModule. Could you provide more detail on the issue you are facing?