0 Replies Latest reply on Aug 29, 2006 1:14 PM by Sreenivasulu Gali

    LdapExtLoginModule + Active Directory Help

    Sreenivasulu Gali Newbie

      Hi Team,

      I have been trying JBOSS authentication and Authorization against ActiveDirectory and having the problem. My working steps as below. Can anybody help me on this?


      Step1: in "login-config.xml" the entry as below
      -------------------------
      <application-policy name="JawJaasDbRealm">

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" >
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="java.naming.security.principal">ldapbrowse</module-option>
      <module-option name="java.naming.security.credentials">ldapbrowse</module-option>
      <!-- bGRhcGJyb3dzZQ== -->
      <module-option name="bindDN">CN=LDAPBrowse,OU=Enterprise Administration,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
      <module-option name="bindCredential">ldapbrowse</module-option>
      <module-option name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">OU=Groups,OU=Freight and Commercial Vehicle Operations,OU=Program Management Division,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <!-- <module-option name="roleAttributeIsDN">true</module-option> -->
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
      <!-- <module-option name="roleRecursion">-1</module-option> -->
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      </login-module>

      </application-policy>
      --------------------------
      Step2: in "jboss.xml" file the entry as below

      ------------------
      <jboss-web>
      <context-root>jaw</context-root>
      <security-domain>java:/jaas/JawJaasDbRealm</security-domain>
      </jboss-web>

      ------------------

      Step3: web-security.xml file
      --------------

      <security-constraint>

      <web-resource-collection>
      <web-resource-name>
      JAW Application protected Admin pages and actions.
      </web-resource-name>
      Require users to authenticate.
      <url-pattern>/test/index.jsp</url-pattern>
      </web-resource-collection>

      <auth-constraint>

      Allow Manager role to access Admin pages and actions.

      <role-name>OFCVO_RGCIP_Inventory</role-name>
      </auth-constraint>

      </security-constraint>

      <security-role>
      JAW Guest User (unsecured)
      <role-name>OFCVO_RGCIP_Inventory</role-name>
      </security-role>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>JawJaasDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
      </login-config>
      ---------------------------


      index.jsp
      ----------------
      <%@ page contentType="text/html; charset=ISO-8859-1" %>


      Welcome to the application, <%= request.getRemoteUser() %>!
      MnDOT Chg Access Role :<%=request.isUserInRole("MnDOT Chg Access") %>
      OFCVO_RGCIP_Inventory Role :<%=request.isUserInRole("OFCVO_RGCIP_Inventory") %>
      OFCVO_RGCIP_Admin Role :<%=request.isUserInRole("OFCVO_RGCIP_Admin") %>
      OFCVO_RGCIP_ProjMgr Role :<%=request.isUserInRole("OFCVO_RGCIP_ProjMgr") %>
      OFCVO_RGCIP_DataMaint Role :<%=request.isUserInRole("OFCVO_RGCIP_DataMaint") %>
      OFCVO_RGCIP_Auditor Role :<%=request.isUserInRole("OFCVO_RGCIP_Auditor") %>
      OFCVO_RGCIP_Finance Role :<%=request.isUserInRole("OFCVO_RGCIP_Finance") %>






      ----------------

      If i enter user credentials(userid/password) who don't have role "OFCVO_RGCIP_Inventory" , it's authenticating and getting the index.jsp page and <%=request.isUserInRole("OFCVO_RGCIP_Inventory") %> displaying "true" value. I think once it's authentication is over then the defaultRole(<module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
      ) is associating with the logged in user even if he don't belongs to that role in AD.


      Can you help me what's going wrong and why it's behaving like this?


      Thanks,
      Sreeni
      914 439 3469