4 Replies Latest reply on Feb 14, 2012 8:22 AM by Janko Joc

    JBoss Admin-Console LDAP authentification

    Dominique Boeckli Newbie

      Due the fact that there's no complete documentation how to setup the ldap authentification for the amin-console, i post my configuration which worked for me:

       

      1. Add a LDAP security configuration in the login-config.xml (server/default/conf/login-config.xml)

       

      <application-policy name="LDAP">

              <authentication>

       

                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"

                      flag="sufficient">

                      <module-option name="java.naming.provider.url">ldaps://ldap.hp.com

                      </module-option>

                      <module-option name="bindDN">cn=xxxxLdapAdminAcountxxxxx,ou=Applications,o=hp.com

                      </module-option>

                      <module-option name="bindCredential">xxxxLdapAdminAcountPasswordxxxxx</module-option>

                      <module-option name="baseCtxDN">ou=People,o=hp.com</module-option>

                      <module-option name="baseFilter">(uid={0})</module-option>

                      <module-option name="rolesCtxDN">ou=Groups,o=hp.com</module-option>

                      <module-option name="roleAttributeID">cn</module-option>

                      <module-option name="roleFilter">(member={1})</module-option>

                      <module-option name="roleRecursion">-1</module-option>

                      <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                      <module-option name="allowEmptyPasswords">false</module-option>

                      <module-option name="searchTimeLimit">-1</module-option>

                      <module-option name="java.naming.security.protocol">ssl</module-option>

                  </login-module>

       

              </authentication>

          </application-policy>

       

      2. Edit components.xml (common/deploy/admin-console.war/WEB-INF/components.xml)

       

          <security:identity authenticate-method="#{authenticator.authenticate}"

                             jaas-config-name="LDAP"/>

       

       

      3. Edit pages.xml (common/deploy/admin-console.war/WEB-INF/pages.xml)

       

          <page view-id="/login.xhtml">

              <navigation>

                  <rule if="#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}">

                      <redirect view-id="/secure/summary.xhtml"/>

                  </rule>

              </navigation>

          </page>

       

          <page view-id="/secure/*" login-required="true">

              <restrict>#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}</restrict>

          </page>

       

      4. Edit resourceNavigation.xhtml (common/deploy/admin-console.war/WEB-INF/facelets/resourceNavigation.xhtml)

       

      <h:form id="navTreeForm" rendered="#{s:hasRole('YOUR_LDAP_ADMIN_ROLE')}">

       

      From now everybody who has a valid LDAP account and is member of the LDAP Admin Role (Group) can access the admin-console.

       

      Hope this helps

        • 1. Re: JBoss Admin-Console LDAP authentification
          Dominique Boeckli Newbie

          Correction:

          - the flag in the security config should be in this case: flag="required"

          - ssl authentification used in this case need some more configuration which is described in the wikis (a valid key is needed). When ssl is not required, just drop the ssl part of it.

          - edit jboss-web.xml ((common/deploy/admin-console.war/WEB-INF/jboss-web.xml):

           

          <jboss-web>

           

              <class-loading>

                  <loader-repository>

                      org.jboss.on:loader=embedded

                      <loader-repository-config>java2ParentDelegation=false</loader-repository-config>

                  </loader-repository>

              </class-loading>

           

              <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>

           

              <context-root>admin-console</context-root>

           

          </jboss-web>

           

          - edit web.xml (common/deploy/admin-console.war/WEB-INF/web.xml):

           

          <login-config>

                  <auth-method>BASIC</auth-method>

                  <realm-name>JBoss embedded Console</realm-name>

          </login-config>

          <security-role>

                 <role-name>YOUR_LDAP_ADMIN_GROUP</role-name>

          </security-role>

          • 2. JBoss Admin-Console LDAP authentification
            Mid DC Newbie

            Did above config. worked for you? I am trying the same and unable to login with LDAP credentials. Also which ldap server you were configuring,.,?

            Thanks.

            • 3. JBoss Admin-Console LDAP authentification
              Dominique Boeckli Newbie

              Yes, it did. But the configuration depends on your ldap installation. Take a look at the JBoss LDAP Wiki :

              http://community.jboss.org/wiki/LdapLoginModule

               

              Expecially those parameters can vary on different Ldap Installation:

              <module-option name="baseCtxDN">ou=People,o=hp.com</module-option>

              <module-option name="baseFilter">(uid={0})</module-option>

              <module-option name="rolesCtxDN">ou=Groups,o=hp.com</module-option>

              <module-option name="roleAttributeID">cn</module-option>

              <module-option name="roleFilter">(member={1})</module-option

              • 4. Re: JBoss Admin-Console LDAP authentification
                Janko Joc Newbie

                Thank you for this post.

                Does anyone know why the solution works fine on 'standard' LDAP, but in doesn't work on mainframe (RACF).

                 

                I think the problem is in the roleFilter (in login-config.xml)

                 

                Error while performing search

                  Filter '(racfgroupuserids="RACFID=XXXX,PROFILETYPE=XXXX,SECAUTHORITY=XXXX")' is not supported.

                 

                Thank you for your help.