1 Reply Latest reply on Jul 3, 2012 12:17 PM by spyderdyne

    JBoss AS 7 IPA LDAP Configuration Questions

    spyderdyne Newbie

      I am trying to configure JBoss AS 7.1.0.Final "Thunder" to restrict access to the management features via IPA Directory Server LDAP connection.  I also want to restrict the non-admin account with a different group and also configure a LDAP realm for my applications to be able to access.

       

      Groups:

       

      jboss_admin - Management (Admin) account

      jboss_user - Read-only/Restricted account

      jboss_manager - (Overlord) BPM monitoring account

       

      Here is what I have so far:

       

      Jboss_admin (Management Access) to lock management features

       

      <security-realm name="ManagementRealm">

       

                      <!--authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication-->

       

                     <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                              <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>

                              <module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>

                              <module-option name="java.naming.security.authentication" value="simple"></module-option>

                              <module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="bindCredential" value="password"></module-option>

                              <module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="baseFilter" value="(uid={0})"></module-option>

                              <module-option name="principalDNPrefix" value="uid="></module-option>

                              <module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="roleFilter" value="(member={1})"></module-option>

                              <module-option name="roleAttributeID" value="cn=jboss_admin"></module-option>

                              <module-option name="uidAttributeID" value="member"></module-option>

                              <module-option name="roleAttributeIsDN" value="false"></module-option>

                              <module-option name="searchTimeLimit" value="5000"></module-option>

                              <module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>

                          </login-module>

                      </authentication>

       

      </security-realm>

       

      Jboss_user (Restricted Account)

       

      <security-realm name="ApplicationRealm">

       

                      <!--authentication>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication-->

       

                      <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                              <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>

                              <module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>

                              <module-option name="java.naming.security.authentication" value="simple"></module-option>

                              <module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="bindCredential" value="password"></module-option>

                              <module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="baseFilter" value="(uid={0})"></module-option>

                              <module-option name="principalDNPrefix" value="uid="></module-option>

                              <module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="roleFilter" value="(member={1})"></module-option>

                              <module-option name="roleAttributeID" value="cn=jboss_user"></module-option>

                              <module-option name="uidAttributeID" value="member"></module-option>

                              <module-option name="roleAttributeIsDN" value="false"></module-option>

                              <module-option name="searchTimeLimit" value="5000"></module-option>

                              <module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>

                          </login-module>

                      </authentication>

       

      </security-realm>

       

      Jboss JNDI Resource for applications to access directory services

       

      <security-domain name="jboss_ldap_domain" type="default">

                      <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="optional">

                              <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>

                              <module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>

                              <module-option name="java.naming.security.authentication" value="simple"></module-option>

                              <module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="bindCredential" value="password"></module-option>

                              <module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="baseFilter" value="(uid={0})"></module-option>

                              <module-option name="principalDNPrefix" value="uid="></module-option>

                              <module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>

                              <module-option name="roleFilter" value="(member={1})"></module-option>

                              <module-option name="roleAttributeID" value="cn"></module-option>

                              <module-option name="uidAttributeID" value="member"></module-option>

                              <module-option name="roleAttributeIsDN" value="false"></module-option>

                              <module-option name="searchTimeLimit" value="5000"></module-option>

                              <module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>

                          </login-module>

                      </authentication>

      </security-domain>

       

      Here are my questions:

       

      1.  How to I secure the txn-recovery-environment and txn-status-manager for my monitoring applications?

       

      2.  Securing security-realm name="ApplicationRealm" wont require all application access (deployed webapps,sites,resources) to be authenticated will it?

       

      3.  Is this the correct method of dictating what group a user needs to be in to access a LDAP secured feature?  If not how do I set the group name?

       

           <module-option name="roleAttributeID" value="cn=jboss_user"></module-option>

       

      4.  I pulled this from here => https://community.jboss.org/wiki/JBossLDAPAuthenticationWithJAAS?_sscc=t

       

           <module-option name="roleFilter" value="(member={1})"></module-option>

       

             Everywhere else I am using roleSearch="(member={0})", not member=1.  What is the difference?

       

      5.  Is there a simpler way to lock down toManagement and portal access since I am already configuring the security realm elsewhere or do I need the full <authentication /> section for each component?

       

      6.  <module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>

       

           I need to search subtree.  What does this do exactly and would it prevent that?

       

       

      Thanks in advance for any and all help or suggestions.  I have had issues finding documentation for this specifically for AS 7.

       

      <<<UPDATE>>>

       

      Startup Failure from this config

       

      14:32:25,714 ERROR [org.jboss.as.controller] JBAS014601: Error booting the container: java.lang.RuntimeException: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

              at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:161) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]

      Caused by: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

              at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:125) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:187) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.server.ServerService.boot(ServerService.java:261) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              ... 1 more

      Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[41,21]

      Message: JBAS014789: Unexpected element '{urn:jboss:domain:1.1}login-module' encountered

              at org.jboss.as.controller.parsing.ParseUtils.unexpectedElement(ParseUtils.java:85) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.domain.management.parsing.ManagementXml.parseAuthentication_1_1(ManagementXml.java:526) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealm_1_1(ManagementXml.java:312) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealms(ManagementXml.java:247) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:130) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_1(StandaloneXml.java:324) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:126) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:100) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

              at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

              at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:117) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]

              ... 4 more

       

       

      14:32:25,734 INFO  [org.jboss.as] JBAS015950: JBoss AS 7.1.0.Final "Thunder" stopped in 8ms