6 Replies Latest reply on Feb 2, 2006 12:19 AM by Eron Howard

    LDAP LoginModule & eDirectory

    Eron Howard Newbie


      I'm trying to get jboss portal to authenticate to eDirectory. I've modified the login-conf.xml to include the following:

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=staff,o=company</module-option>
      <module-option name="rolesCtxDN">ou=groups,o=company</module-option>
      <module-option name="uidAttributeID">memberOf</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>

      The error I get when logging in is:
      HTTP Status 403 - Access to the requested resource has been denied

      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
      The server.log doesnt seem show any information about the login request.

      Any help would be great! Thanks.

        • 1. Re: LDAP LoginModule & eDirectory
          Scott Dawson Apprentice

          You may have a problem with roles rather than authentication. We are doing something similar against OpenLDAP. In jboss-portal.sar/conf/login-config.xml, we have this:

          <application-policy name="portal">
           <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
           <module-option name="password-stacking">useFirstPass</module-option>
           <module-option name="java.naming.provider.url">ldap://yourhost:389/</module-option>
           <module-option name="java.naming.security.authentication">simple</module-option>
           <module-option name="principalDNPrefix">uid=</module-option>
           <module-option name="principalDNSuffix">,ou=people,dc=company</module-option>
           <login-module code="org.jboss.portal.core.security.jaas.ModelLoginModule" flag="required">
           <module-option name="unauthenticatedIdentity">guest</module-option>
           <module-option name="hashAlgorithm">MD5</module-option>
           <module-option name="hashEncoding">HEX</module-option>
           <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           <module-option name="password-stacking">useFirstPass</module-option>

          So, the authentication is via LDAP and the roles come from the Portal database, meaning that you have to define your users in both places. This may not be exactly what you want, but it may be worth trying just so you can verify that the LDAP authentication is working.

          Scott Dawson

          • 2. Re: LDAP LoginModule & eDirectory

            Is it possible to get the roles from an external source (in these cases, an LDAP directory) too, using jaas? Or are the roles intrinsic to the portal engine? I don't mind looking through the code / jaas docs to find out how to do it, but if someone can say flat-out "no" it would save me a lot of fruitless investigation. I'd like to have both the authentication and the authorisation coming from LDAP.


            • 3. Re: LDAP LoginModule & eDirectory
              Konstantin Novoselov Newbie

              It is possible. I wrote custom implementations for org.jboss.portal.core.modules.UserModule and org.jboss.portal.core.modules.RoleModule to make it get the info from LDAP.

              -- kn

              • 4. Re: LDAP LoginModule & eDirectory

                Cool. Any chance of sharing?


                • 5. Re: LDAP LoginModule & eDirectory
                  Konstantin Novoselov Newbie

                  Don't think it would help anybody. Implementation is highly specific to our environment. But you may check http://jira.jboss.com/jira/browse/JBPORTAL-464, which has something similar.


                  • 6. Re: LDAP LoginModule & eDirectory
                    Eron Howard Newbie

                    Its seems that the jboss portal ldap authentication and athorization is not quite dialed in yet. Is better out of the box ldap support on the road map? Any idea how long from now?