On JBoss AS, just use the database jaas login modules.

Did you get any response or find any solution on this question? I am facing the similar problem with LDAP as the identity store for IDP.

I am trying to use PicketLink Idp with OpenLdap and could not find any documentation on how to go about configuring PicketLink to use LDAP as the identity store. I have downloaded the latest version picketlink-2.0.1.final.zip and extracted the zip file under Jboss 5.1 deploy directory. How do I go about configuring PicketLink to use OpenLdap ?   I see references to configuration files, but am trying to figure out where to place these configuration files. Any help will be greatly appreciated !!

Regards,

GT

The "idp" security domain is not defined in the login-config file and as such it will use the "other" which use UserRolesLoginModule. This login module use the property files. To use LDAP loging module, you can add something like the following in the login-config.xml file and make sure that your LDAP schema has the correct settings. It takes me a while to figure this out. I agree that there should be a good documentation on how to configure an IDP.

<application-policy name="idp" >

                    <authentication>

                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                                                               <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                              <module-option name="java.naming.provider.url">ldap://yourLDAPHOST:1389/</module-option>                           

                                     <module-option name="java.naming.security.authentication">simple</module-option>                       

                                                    <module-option name="principalDNPrefix">cn=</module-option>    

                                <module-option name="principalDNSuffix">,ou=users, dc=FedEx,Dc=CGI,Dc=com</module-option> 

                                 <module-option name="rolesCtxDN">ou=Groups,dc=FedEx,Dc=CGI,Dc=com</module-option> 

                        <module-option name="roleFilter">(member={1})</module-option>

                               <module-option name="roleAttributeID">cn</module-option>

                                    <module-option name="debug">true</module-option>              

                                                   </login-module>

                    </authentication>

                </application-policy>

Thank you for your response. Since I could not figure out the LDAP configuration, I have used a database as the Identity store and ended up with a bunch of jbid_    tables. Hacked through some of the test cases from the source code and was able to populate the tables with a few test users. Does anyone how to retrieve the user and role information from the jbid_ tables for the idp security domain ?

Should I use JBossIdentityIDMLoginModule or the more generic DatabaseServerLoginModule ?

<policy>

<application-policy name = "idp">

<authentication>

<login-module code = "org.jboss.identity.idm.auth.JBossIdentityIDMLoginModule" flag = "required">

<module-option name="identitySessionFactoryJNDIName">java:/IdentitySessionFactory</module-option>

<module-option name="realmName">realm://JBossIdentity</module-option>

<module-option name="roleGroupTypeName">GROUP</module-option>

<module-option name="additionalRole">Authenticated</module-option>

<module-option name="userEnabledAttributeName"></module-option>

<module-option name="associatedGroupType"></module-option>

<module-option name="associatedGroupName"></module-option>

<module-option name="validateUserNameCase"></module-option>

<module-option name="userNameToLowerCase"></module-option>

</login-module>

</authentication>

</application-policy>

</policy>

<policy>
    <application-policy name="idp">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                             flag="required">
                <module-option name="dsJndiName">java:/MyDatabaseDS</module-option>
                <module-option name="principalsQuery">
                   ???????                               </module-option>
                <module-option name="rolesQuery">
                   ??????????????  </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>

Finally got my idp configuration working using the following entry in login-config.xml.

<application-policy name = "idp">

       <authentication>

          <login-module code = "org.picketlink.idm.auth.JBossIdentityIDMLoginModule"

             flag = "required">

              <module-option name="identitySessionFactoryJNDIName">java:/IdentitySessionFactory</module-option>

              <module-option name="realmName">realm://JBossIdentity</module-option>

              <module-option name="roleGroupTypeName">GROUP</module-option>

              <module-option name="additionalRole">Authenticated</module-option>

              <module-option name="transactionAware">true</module-option>

          </login-module>

       </authentication>

    </application-policy>