1 Reply Latest reply on Sep 22, 2014 6:00 AM by dmouch

Picketlink IDP with LDAP Authentication

dmouch Sep 17, 2014 7:54 AM

Hi all,

I'm new to picketlink and I'm trying to get accustomed to it. I installed the idp-basic and sp-basic quickstarts on wildfly and managed to login succesfully to sales-post up from the idp.

However now I'm trying to connect the idp to an LDAP (Microsoft AD) server. What I think I should do is change the standalone.xml configuration like this:

<security-domain name="idp" cache-type="default">

<login-module code="AdvancedADLdap" flag="required">

<module-option name="java.naming.provider.url" value="ldap://111.111.1111.111:389/"/>

<module-option name="bindDN" value="cn=administrator,cn=users,dc=example,dc=com"/>

<module-option name="bindCredential" value="123456"/>

<module-option name="baseCtxDN" value="CN=Users,DC=EXAMPLE,DC=COM"/>

<module-option name="baseFilter" value="(uid={0})"/>

<module-option name="rolesCtxDN" value="CN=Group,CN=Schema,CN=Configuration,DC=EXAMPLE,DC=COM"/>

<module-option name="roleFilter" value="(uniqueMember={1})"/>

<module-option name="roleAttributeID" value="cn"/>

</login-module>

</authentication>

</security-domain>

Is the above configuration correct? Or should I use the idm-ldap quickstart? Also how to enable logging to check what is going on underneath?

Essentially what I'd like to do is connect idp with MS AD for authentication and provide SSO to sales-post quickstart.

Thank you.

1. Re: Picketlink IDP with LDAP Authentication

dmouch Sep 22, 2014 6:00 AM (in response to dmouch)

I have finally manged to make this work, with the following configuration:
<security-domain name="idp" cache-type="default">
    <authentication>
        <login-module code="org.jboss.security.negotiation.AdvancedADLoginModule" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://111.111.111.111:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="cn=administrator,cn=users,dc=example,dc=com"/>
            <module-option name="bindCredential" value="somepass"/>
            <module-option name="baseCtxDN" value="CN=Users,DC=example,DC=com"/>
            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="rolesCtxDN" value="CN=Users,DC=example,DC=com"/>
            <module-option name="roleFilter" value="(sAMAccountName={0})"/>
            <module-option name="roleAttributeID" value="memberOf"/>
            <module-option name="roleAttributeIsDN" value="true"/>
            <module-option name="roleNameAttributeID" value="cn"/>
            <module-option name="roleRecursion" value="1"/>
        </login-module>
    </authentication>
</security-domain>

I also managed to see logs by adding:
        <logger category="org.jboss.security">
            <level name="TRACE"/>
        </logger>
in the appropriate section of standalone.xml which was very helpful.
Actions

	<logger category="org.jboss.security">
	<level name="TRACE"/>
	</logger>