LDAP authentication using multiple groups
lucasvvloten Dec 22, 2014 8:54 AMHello,
I am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4)
Within my SecurityRealm I perform LDAP authentication against a Microsoft AD server to allow access to the JBoss Admin interface.
My question is: is it possible to use more than one LDAP group for authentication, and how can it be configured?
Further explanation:
Using the configuration below I can authorize users to login to the JBoss Admin interface in the Active Directory, by making them a member of the "jbossadmins" group.
However, I would like to use more than one group to authenticate users; for example, group 'linuxadmins' in addition to 'jbossadmins'.
So that users will be allowed to login if they are a member of group "linuxadmins" OR a member of group "jbossadmins".
I can think of the following approaches:
- make group "linuxadmins" a member (nested group) of "jbossadmins"; however this does not work. members of "linuxadmins" can not log in to the Admin interface.
The attribute "recursive=true" does not make a difference.
- Add a second element "advanced-filter", but this is not allowed;
- Use a different method to authenticate against LDAP, for example PAM and/or SSSD (don't know if possible / how)
Any ideas would be appreciated!
My current configuration works perfectly, but I can only use group "jbossadmins" and no nested groups:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<ldap connection="ldap_connection" base-dn="CN=Users,DC=ACME,DC=COM" recursive="true">
<advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=jbossadmins,CN=Users,DC=acme,DC=com))"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
(...)
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://ldapserver1.acme.com:636 ldaps://ldapserver2.acme.com:636" search-dn="cn=adreader,cn=users,dc=acme,dc=com" search-credential="SecretPassword"/>
</outbound-connections>
(...)
</management>
Kind regards,
Lucas