JBossDeveloper

Thanks, no harm done.
i Hope you will find your way htrough your issue

Basic instructions for setuping LDAP as source of user/roles information for portal (not only authentication) in 2.6 can be found here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=Identity_and_Authentication_in_JBoss_Portal_2_6

There is some more info in docs for 2.6 alpha2

Thanks for the reply. I will take a look at the link you posted. I'm a bit weary however of using JBoss Portal 2.6 in a production environment until it is stable. So we are currently using version 2.4.1. Is there anyway to do this in version 2.4.1, or to solve my issue mentioned above with securities?

In 2.4.1:
- yes for authentication (LdapLoginModule)
- no for user management - you will need to manually implement UserModule and RoleModule interfaces for that. You can use example MSAD implementation as a reference (http://jira.jboss.com/jira/browse/JBPORTAL-464)

In 2.6 there is buildin support for LDAP. It won't cover all cases but should handle most.

btw. Which LDAP server and what tree schape are you planing to use?

Thanks.
User management isn't too serious for now, if I can do that locally, its fine. It's the ldap authentication which is required. Unfortunately by using local user management, the securities are all messed up when logging in with ldap passwords for the users. That where my major problem lies. Using the local user passwords seem fine though, but that wont cut it, we need to use the ldap passwords.

Our network uses Novell eDirectory, but all of that is taken care of by our netware guru, so I am unsure about the tree shape.

Okay so the way I ended up working around the security issues when using LDAP is this:

- I downloaded the source so I could build the JBoss Portal myself.
- I DID NOT enable LDAP authenitcation and used the standard setup that comes with JBoss Portal.
- I created all the users I wanted in JBoss Portal the usual way, all with the same password, for example, "mypassword", but made sure that each username corresponded to the user name in my LDAP directory.
- I downloaded the JLdap library from www.openldap.org.
- I put the jar file in the portal lib directory.
- I added the jar file to jboss-portal-2.4.1-src\thirdparty.
- Added the classpath to jboss-portal-2.4.1-src\identity\build.xml.
- I edited jboss-portal-2.4.1-src\identity\src\main\org\jboss\portal\identity\auth\IdentityLoginModule in the JBoss Portal source code and added my own LDAPAuthentication method.
- In IdentityLoginModule, I edited the method validatePassword, and at the top of it, I called my LDAPAuthentication method with the supplied username and password, which then returned true if LDAP authenitcation passed, or false if it failed. If true was returned, I changed the supplied password to "mypassword" in validatePassword method, otherwise I changed it to "incorrect" or some other incorrect string. Now the rest of validatePassword method continues normally, and will login the user locally if they used their correct LDAP password.
- I built the portal source from scratch, and my customized LDAP authentication worked perfectly.

A workaround I know, but it works, and hopefully will help someone else.
When JBoss Portal 2.6 is stable, I will upgrade to that, and all of this will probably fall away.

Hey guys, thanks for the help in setting up LDAP.
I can now login as admin and normal users to OpenDS.

BUT when I add new users, they appear in OpenDS, but not as a member of the Authenticated role. In order to log in with a new user account, I have to manually add it to the role and also I have to reset the password in LDAP (I use JXplorer - excellent LDAP GUI).

Also, updates to the user profile won't work, because the LDAP schema needs to be set up to follow the Portal profile schema.

Am I missing something ?
or is it just early stages of your LDAP integration with more to come ?

Thanks anyway,

Ian
Sydney

Not sure how you set up this. For 2.6 just use instructions from wiki
http://wiki.jboss.org/wiki/Wiki.jsp?page=Identity_and_Authentication_in_JBoss_Portal_2_6
or wait few days for Beta with a bit more helpfull documentation in Reference Guide

Usecase:

*Use LDAP for username/passwords (authenticate).
*Use DB for roles/ACL/everything else related to Portal (authorization/etc).

I've been poking at this for a while on the 2.6 alpha1, and alpha2. There are some comments in the configs, but no success yet.

Is there a reason not to re-use existing projects like the Jboss SSO or the login-modules related to the way Portals work? I understand the portal schema for roles/ACL/customization/personalization does need to be different, but just trying to re-use username passwords and pushing everything else to its own DB seems too complicated.

I recently added SynchronizingLdapLoginModule that extends LdapLoginModule from JBossSX and SynchronizingLdapExtLoginModule that does the same for LdapExtLoginModule You can use them to
- just authenticate against LDAP + inject additional role principal which is used to secure portal application
- authenticate against LDAP + synchronize ldap user into portal DB
- authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role
- authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role + try to synchronize all the roles obtained for such user from LDAP into portal DB

as you see it can be quite flexible. It's in svn trunk and will be in beta but there is no documentation. Just look at commented block of code in login-config.xml - minimal documentation is in comment block

You need to remember that it's hard to decouple users and roles because of relationship. So you can't just keep users in LDAP and roles in DB.

With current identity modules implementation you can keep most imformation about users directly in LDAP anyway. This is documented for beta.

That's great bdaw!!

I would like to carry over roles from the LDAP, but since the Portal may have new roles I was going with the use-case of moving all the roles to the portal-oriented-DB.

With that last option for the SynchronizingLdapLoginModule:
- authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role + try to synchronize all the roles obtained for such user from LDAP into portal DB

That is perfect for my use case, and probably other people with similar scenarios. I look forward to checking out the Beta release (pending the date), or may grab from SVN if I have an opportunity.

Do you have a direct-sample related to the last option for the login-config.xml and related portal identity-* configs (tieing the two-to-three configs together is part of the challenge)?

p.s. I really like the idea of re-using my existing login modules instead of re-setting it up in the portal identity files, thank you :-)

Happy to hear that :)

Look here. It's the second login module (commented).

It's just a quick prototype so it's not much tested but should work. The code is also quite simple (ext one here: here)

We may think about providing something more general to use with any login module if there will be enough time, but you can easily extend any login module in similar way by just reusing this code.

Hi,

I am using jboss portal 2.6.0 bundle version. I made the changes in jboss-service.xml to use ldap server as storage. And in login-config.xml I uncommented SynchronizingLoginModule module. So i will be using SynchronizingLoginModule and IdentityLoginModule for authentication.

I started the server. I am able to add users from ldap browser and its reflecting in application. And also i am able to add users through application and albe to see in ldap browser. But when i stop ldap server, i still should be able to login with old and new user accouts right, as i have used synchronizingLoginModule, It would have synchronised ldap users with the db? Is not SynchronizingLoginModule does not work?

If I stop ldap server, and restart the application, I am not able login with any credentials. If i modify jboss-service.xml, to use db as storage, then I am able to login with old users, But not with new users which I added though ldap.

Whats the use of SynchronizingLoginModule then?

Hope I am clear in explaining my problem.

Thanks in advance
Shilpa

Your config is wrong.

http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/authentication.html#authentication.synchronizing_login_module

"This module is designed to provide synchronization support for any other LoginModule placed in the authentication stack."

So in your particular case you are synchronizing from LDAP to .... LDAP. Its because is configured to store and retreive users from LDAP.

You should use config described here instead:

http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/ldap.html#ldap.synchronizing

Please note that in such case portal LDAP support is not configured so synchronization occurs from LDAP to DB.

Whats the use of SynchronizingLoginModule then?

"bdaw" wrote:
I recently added SynchronizingLdapLoginModule that extends <a href="http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule">LdapLoginModule</a> from JBossSX and SynchronizingLdapExtLoginModule that does the same for <a href="http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule">LdapExtLoginModule</a> You can use them to
- just authenticate against LDAP + inject additional role principal which is used to secure portal application
- authenticate against LDAP + synchronize ldap user into portal DB
- authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role
- authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role + try to synchronize all the roles obtained for such user from LDAP into portal DB
...
You need to remember that it's hard to decouple users and roles because of relationship. So you can't just keep users in LDAP and roles in DB.
...