4 Replies Latest reply on Apr 24, 2017 12:21 PM by pechand

    JBOSS and LDAP.

    pechand

      I am trying to configure JBOSS to authenticate against (use) an external LDAP Server. Can anyone point me to some proper instructions and example standalone.xml?

       

      Thanks in advance,

       

      Peter.

        • 1. Re: JBOSS and LDAP.
          andey

          To configure JBoss for authentication with LDAP you will need to first ensure that your application is properly set up for JAAS authentication with the JBoss container.

           

          jboss-web.xml

           

          ~~~

              <jboss-web>

                  <security-domain>java:/jaas/sample_ldap_domain</security-domain>

              </jboss-web>

          ~~~

           

          web.xml

           

          ~~~

              <security-constraint>

                     <web-resource-collection>

                         <web-resource-name>Secure Content</web-resource-name>

                         <url-pattern>/*</url-pattern>

                     </web-resource-collection>

           

           

                     <auth-constraint>

                         <role-name>JBossAdmin</role-name>

                     </auth-constraint>

           

           

                     <!--user-data-constraint>

                         <transport-guarantee>NONE</transport-guarantee>

                     </user-data-constraint-->

             </security-constraint>

           

             <security-role>

                <role-name>JBossAdmin</role-name>

             </security-role>

           

              <login-config>

                <auth-method>BASIC</auth-method>

                <realm-name>Sample LDAP Domain</realm-name> <!--NOTE: This is simply a Display Name-->

              </login-config>

          ~~~

           

           

          With these in items in your application (WAR | EAR) that application will defer to JBoss for authentication specifically to the JBoss security-domain, sample_ldap_domain for our example.

           

           

          You need to then add the following setting in JBoss and define the is what define sample_ldap_domain to talk to your Active Directory or LDAP server for authentication.

          ~~~

          <security-domain name="sample_ldap_domain" cache-type="default">

                              <authentication>

                                  <login-module code="LdapExtended" flag="required">

                                      <module-option name="java.naming.provider.url" value="ldap://IP-HOSTNAME:389"/>

                                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                      <module-option name="java.naming.security.authentication" value="simple"/>

                                      <module-option name="bindDN" value="test"/>

                                      <module-option name="bindCredential" value="test"/>

                                      <module-option name="baseCtxDN" value="CN=Users,DC=JBoss,DC=redhat,DC=com"/>

                                      <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                      <module-option name="rolesCtxDN" value="CN=GRoups,DC=JBoss,DC=redhat,DC=com"/>

                                      <module-option name="roleFilter" value="(member={1})"/>

                                      <module-option name="roleAttributeID" value="memberOf"/>

                                      <module-option name="roleNameAttributeID" value="cn"/>

                                      <module-option name="roleRecursion" value="0"/>

                                      <module-option name="roleAttributeIsDN" value="true"/>

                                      <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

          ~~~

           

          So long as all of your users are in the JBossAdmin as defined by your application's web.xml, JBossAdmin, you will be able to authenticate as an AD or LDAP user.

           

          Each Directory Server is different so the example options above will likely need to be altered to fit your Directory Servers implementation to see the full configuration options refer to the https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html-single/Administration_and_Configuration_Guide/index.html#topic4732_ldapextended

           

          Please note that LDAP security-domain above accounts for advanced filters; for example like

           

          ~~~

          (&amp;(sAMAccountName={0})(memberOf=cn=admin,cn=users,dc=acme,dc=com))

          ~~~

           

          For a user filter, this would be placed under the "baseFilter" login module-option. For a group filter, this would be placed under the "roleFilter" login module-option.

           

          Adding the following module option would help to debug the configuration.

           

          ~~~

              <module-option name="throwValidateError" value="true"/>

          ~~~

           

          If the issue like PBOX000070: Password invalid/Password required, verify if the correct username or password has been used. Also, cross verify the configuration like "baseCtxDN" and "baseFilter" are matching the entry that is been done to login to the application.

          • 2. Re: JBOSS and LDAP.
            pechand

            Thanks. ☺

            1 of 1 people found this helpful
            • 3. Re: JBOSS and LDAP.
              andey

              Hi,

               

              If you feel the answer suits your query, then like it or if the answer helps you for moving forward you then mark the answer as helpful. If you think its a correct answer then you can make the Correct Answers

              • 4. Re: JBOSS and LDAP.
                pechand

                Sorry, have not had time to yes it yet.