JBoss Admin-Console LDAP authentification
domboeckli Mar 11, 2011 4:06 AMDue the fact that there's no complete documentation how to setup the ldap authentification for the amin-console, i post my configuration which worked for me:
1. Add a LDAP security configuration in the login-config.xml (server/default/conf/login-config.xml)
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="sufficient">
<module-option name="java.naming.provider.url">ldaps://ldap.hp.com
</module-option>
<module-option name="bindDN">cn=xxxxLdapAdminAcountxxxxx,ou=Applications,o=hp.com
</module-option>
<module-option name="bindCredential">xxxxLdapAdminAcountPasswordxxxxx</module-option>
<module-option name="baseCtxDN">ou=People,o=hp.com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Groups,o=hp.com</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
</login-module>
</authentication>
</application-policy>
2. Edit components.xml (common/deploy/admin-console.war/WEB-INF/components.xml)
<security:identity authenticate-method="#{authenticator.authenticate}"
jaas-config-name="LDAP"/>
3. Edit pages.xml (common/deploy/admin-console.war/WEB-INF/pages.xml)
<page view-id="/login.xhtml">
<navigation>
<rule if="#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}">
<redirect view-id="/secure/summary.xhtml"/>
</rule>
</navigation>
</page>
<page view-id="/secure/*" login-required="true">
<restrict>#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}</restrict>
</page>
4. Edit resourceNavigation.xhtml (common/deploy/admin-console.war/WEB-INF/facelets/resourceNavigation.xhtml)
<h:form id="navTreeForm" rendered="#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}">
From now everybody who has a valid LDAP account and is member of the LDAP Admin Role (Group) can access the admin-console.
Hope this helps