4 Replies Latest reply on Feb 14, 2012 8:22 AM by ilko

JBoss Admin-Console LDAP authentification

domboeckli Mar 11, 2011 4:06 AM

Due the fact that there's no complete documentation how to setup the ldap authentification for the amin-console, i post my configuration which worked for me:

1. Add a LDAP security configuration in the login-config.xml (server/default/conf/login-config.xml)

<application-policy name="LDAP">

<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"

flag="sufficient">

<module-option name="java.naming.provider.url">ldaps://ldap.hp.com

</module-option>

<module-option name="bindDN">cn=xxxxLdapAdminAcountxxxxx,ou=Applications,o=hp.com

</module-option>

<module-option name="bindCredential">xxxxLdapAdminAcountPasswordxxxxx</module-option>

<module-option name="baseCtxDN">ou=People,o=hp.com</module-option>

<module-option name="baseFilter">(uid={0})</module-option>

<module-option name="rolesCtxDN">ou=Groups,o=hp.com</module-option>

<module-option name="roleAttributeID">cn</module-option>

<module-option name="roleFilter">(member={1})</module-option>

<module-option name="roleRecursion">-1</module-option>

<module-option name="searchScope">SUBTREE_SCOPE</module-option>

<module-option name="allowEmptyPasswords">false</module-option>

<module-option name="searchTimeLimit">-1</module-option>

<module-option name="java.naming.security.protocol">ssl</module-option>

</login-module>

</authentication>

</application-policy>

2. Edit components.xml (common/deploy/admin-console.war/WEB-INF/components.xml)

<security:identity authenticate-method="#{authenticator.authenticate}"

jaas-config-name="LDAP"/>

3. Edit pages.xml (common/deploy/admin-console.war/WEB-INF/pages.xml)

</rule>

</navigation>

</page>

<restrict>#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}</restrict>

</page>

4. Edit resourceNavigation.xhtml (common/deploy/admin-console.war/WEB-INF/facelets/resourceNavigation.xhtml)

<h:form id="navTreeForm" rendered="#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}">

From now everybody who has a valid LDAP account and is member of the LDAP Admin Role (Group) can access the admin-console.

Hope this helps

1. Re: JBoss Admin-Console LDAP authentification

domboeckli Mar 11, 2011 4:26 AM (in response to domboeckli)

Correction:
- the flag in the security config should be in this case: flag="required"
- ssl authentification used in this case need some more configuration which is described in the wikis (a valid key is needed). When ssl is not required, just drop the ssl part of it.
- edit jboss-web.xml ((common/deploy/admin-console.war/WEB-INF/jboss-web.xml):

<jboss-web>

    <class-loading>
        <loader-repository>
            org.jboss.on:loader=embedded
            <loader-repository-config>java2ParentDelegation=false</loader-repository-config>
        </loader-repository>
    </class-loading>

    <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>

    <context-root>admin-console</context-root>

</jboss-web>

- edit web.xml (common/deploy/admin-console.war/WEB-INF/web.xml):

<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>JBoss embedded Console</realm-name>
</login-config>
<security-role>
       <role-name>YOUR_LDAP_ADMIN_GROUP</role-name>
</security-role>
Actions
2. JBoss Admin-Console LDAP authentification

middleware11 May 2, 2011 10:53 AM (in response to domboeckli)

Did above config. worked for you? I am trying the same and unable to login with LDAP credentials. Also which ldap server you were configuring,.,?
Thanks.
Actions
3. JBoss Admin-Console LDAP authentification

domboeckli May 4, 2011 4:05 AM (in response to middleware11)

Yes, it did. But the configuration depends on your ldap installation. Take a look at the JBoss LDAP Wiki :
http://community.jboss.org/wiki/LdapLoginModule

Expecially those parameters can vary on different Ldap Installation:
<module-option name="baseCtxDN">ou=People,o=hp.com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Groups,o=hp.com</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleFilter">(member={1})</module-option
Actions
4. Re: JBoss Admin-Console LDAP authentification

ilko Feb 14, 2012 8:22 AM (in response to domboeckli)

Thank you for this post.
Does anyone know why the solution works fine on 'standard' LDAP, but in doesn't work on mainframe (RACF).

I think the problem is in the roleFilter (in login-config.xml)

Error while performing search
Filter '(racfgroupuserids="RACFID=XXXX,PROFILETYPE=XXXX,SECAUTHORITY=XXXX")' is not supported.

Thank you for your help.
Actions

Go to original post