0 Replies Latest reply on Jun 29, 2010 3:21 PM by Sergey Grabkovsky

    JBoss 5.0, Active Directory and LDAP

    Sergey Grabkovsky Newbie

      Hello, I am trying to set up authentication and authorization through JBoss using JAAS, and I've run into somewhat of a problem.  The company's Active Directory is organized in the following manner:

           + DC=com

                + DC=company

                     + OU=user groups

                          + CN=group 1

                          + CN=group 2

                          + CN=group 3

                     + OU=user accounts

                          + OU=department 1

                               + CN=user 1

                                    belongs to group 1, group 2

                               + CN=user 2

                                    belongs to group 1

                               + CN=user 3

                          + OU=department 2

                               + CN=user 4

                                    belongs to group 1, group 3

                               + CN=user 5


      This is a problem because with the current LDAP configuration that I have, I have to specify a department for rolesCtxDN.  Even though any user can log in, roles are only assigned to people from the department that is specified in rolesCtxDN.  This means that I can't do authentication for users in any other department.  For example, if I have rolesCtxDN="ou=department 1,ou=user accounts,dc=company,dc=com", then user 1, user 2, and user 3 can authenticate and the app correctly identified the groups they are in.  However, if user 4 were to log in, then he would not be given any roles, even though he is in group 1 and group 3.  Here are the settings that I think might be relevant:

              <module-option name="uidAttributeID">userPrincipalName</module-option>
              <module-option name="matchOnUserDN">true</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">name</module-option>
              <module-option name="rolesCtxDN">ou=department 1,ou=user accounts,dc=company,dc=com</module-option>


      Could somebody please help?  I can give more information if necessary.