JBoss 5.0, Active Directory and LDAP
blindmonkey Jun 29, 2010 3:21 PMHello, I am trying to set up authentication and authorization through JBoss using JAAS, and I've run into somewhat of a problem. The company's Active Directory is organized in the following manner:
+ DC=com
+ DC=company
+ OU=user groups
+ CN=group 1
+ CN=group 2
+ CN=group 3
+ OU=user accounts
+ OU=department 1
+ CN=user 1
belongs to group 1, group 2
+ CN=user 2
belongs to group 1
+ CN=user 3
+ OU=department 2
+ CN=user 4
belongs to group 1, group 3
+ CN=user 5
This is a problem because with the current LDAP configuration that I have, I have to specify a department for rolesCtxDN. Even though any user can log in, roles are only assigned to people from the department that is specified in rolesCtxDN. This means that I can't do authentication for users in any other department. For example, if I have rolesCtxDN="ou=department 1,ou=user accounts,dc=company,dc=com", then user 1, user 2, and user 3 can authenticate and the app correctly identified the groups they are in. However, if user 4 were to log in, then he would not be given any roles, even though he is in group 1 and group 3. Here are the settings that I think might be relevant:
<module-option name="uidAttributeID">userPrincipalName</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="rolesCtxDN">ou=department 1,ou=user accounts,dc=company,dc=com</module-option>
Could somebody please help? I can give more information if necessary.