-
1. Re: JBOSS and LDAP.
To configure JBoss for authentication with LDAP you will need to first ensure that your application is properly set up for JAAS authentication with the JBoss container.
jboss-web.xml
~~~
<jboss-web>
<security-domain>java:/jaas/sample_ldap_domain</security-domain>
</jboss-web>
~~~
web.xml
~~~
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
<!--user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint-->
</security-constraint>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Sample LDAP Domain</realm-name> <!--NOTE: This is simply a Display Name-->
</login-config>
~~~
With these in items in your application (WAR | EAR) that application will defer to JBoss for authentication specifically to the JBoss security-domain, sample_ldap_domain for our example.
You need to then add the following setting in JBoss and define the is what define sample_ldap_domain to talk to your Active Directory or LDAP server for authentication.
~~~
<security-domain name="sample_ldap_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url" value="ldap://IP-HOSTNAME:389"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="baseCtxDN" value="CN=Users,DC=JBoss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="CN=GRoups,DC=JBoss,DC=redhat,DC=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
~~~
So long as all of your users are in the JBossAdmin as defined by your application's web.xml, JBossAdmin, you will be able to authenticate as an AD or LDAP user.
Each Directory Server is different so the example options above will likely need to be altered to fit your Directory Servers implementation to see the full configuration options refer to the https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html-single/Administration_and_Configuration_Guide/index.html#topic4732_ldapextended
Please note that LDAP security-domain above accounts for advanced filters; for example like
~~~
(&(sAMAccountName={0})(memberOf=cn=admin,cn=users,dc=acme,dc=com))
~~~
For a user filter, this would be placed under the "baseFilter" login module-option. For a group filter, this would be placed under the "roleFilter" login module-option.
Adding the following module option would help to debug the configuration.
~~~
<module-option name="throwValidateError" value="true"/>
~~~
If the issue like PBOX000070: Password invalid/Password required, verify if the correct username or password has been used. Also, cross verify the configuration like "baseCtxDN" and "baseFilter" are matching the entry that is been done to login to the application.
-
-
3. Re: JBOSS and LDAP.
Hi,
If you feel the answer suits your query, then like it or if the answer helps you for moving forward you then mark the answer as helpful. If you think its a correct answer then you can make the Correct Answers
-