2 Replies Latest reply on Jul 30, 2013 7:40 PM by traviskoch

    How to encrypt LdapExtLoginModule bindCredential

    vinger

      Hi!

       

      Could you please anyone to help me?

       

      I'm using JBoss AS 7.1.1.Final and i have to encrypt the bindCredential in the LDAP configuration.

      Basically i would like to use somehow the VAULT.

       

      I've already defined the vault section in the standalon-full.xml, as follows:

       

      <vault>

          <vault-option name="KEYSTORE_URL" value="c:\java\jboss-as-7.1.1.Final\vault\my.keystore"/>

          <vault-option name="KEYSTORE_PASSWORD" value="MASK-11LxPCyHeyOLOGfHDzEr8D"/>

          <vault-option name="KEYSTORE_ALIAS" value="test"/>

          <vault-option name="SALT" value="testtest"/>

          <vault-option name="ITERATION_COUNT" value="51"/>

          <vault-option name="ENC_FILE_DIR" value="c:\java\jboss-as-7.1.1.Final\vault\"/>

      </vault>

       

      I could apply successfully the vault config for the datasources:

       

      <security>

             <user-name>db_user</user-name>

             <password>${VAULT::Basel2DS::password::ZTUxNjU3NjctM2NkZi00MGU5LWJlN2YtY2VjNDg3ZTZhYjVhTElORV9CUkVBS2Jhc2Vs}</password>

      </security>

       

      but in the LDAP config section the vault expression doesn't work:

       

                     <security-domain name="Basel" cache-type="default">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://myserver:389"/>

                                  <module-option name="bindDN" value="ldap_user"/>

                                  <module-option name="bindCredential" value="${VAULT::LDAP::password::ZjFiMDcxNDctN2RiYi00YzdjLWIwNDItYTcxYzJjMDIyMjE5TElORV9CUkVBS2Jhc2Vs}"/>

                                  <module-option name="baseCtxDN" value="dc=mycompany,dc=local"/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="rolesCtxDN" value="ou=mycompany,dc=local"/>

                                  <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="roleAttributeID" value="memberOf"/>

                                  <module-option name="roleAttributeIsDN" value="true"/>

                                  <module-option name="roleRecursion" value="-1"/>

                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                  <module-option name="additionalRole" value="authenticated"/>

                                  <module-option name="defaultRole" value="authenticated"/>

                                  <module-option name="allowEmptyPasswords" value="false"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      What would be the proper configuration to encrypt the bindCredential?

       

      Thanks!

       

      Geri