JBoss AS 7 IPA LDAP Configuration Questions
I am trying to configure JBoss AS 7.1.0.Final "Thunder" to restrict access to the management features via IPA Directory Server LDAP connection. I also want to restrict the non-admin account with a different group and also configure a LDAP realm for my applications to be able to access.
Groups:
jboss_admin - Management (Admin) account
jboss_user - Read-only/Restricted account
jboss_manager - (Overlord) BPM monitoring account
Here is what I have so far:
Jboss_admin (Management Access) to lock management features
<security-realm name="ManagementRealm">
<!--authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication-->
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>
<module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>
<module-option name="java.naming.security.authentication" value="simple"></module-option>
<module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="bindCredential" value="password"></module-option>
<module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="baseFilter" value="(uid={0})"></module-option>
<module-option name="principalDNPrefix" value="uid="></module-option>
<module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="roleFilter" value="(member={1})"></module-option>
<module-option name="roleAttributeID" value="cn=jboss_admin"></module-option>
<module-option name="uidAttributeID" value="member"></module-option>
<module-option name="roleAttributeIsDN" value="false"></module-option>
<module-option name="searchTimeLimit" value="5000"></module-option>
<module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>
</login-module>
</authentication>
</security-realm>
Jboss_user (Restricted Account)
<security-realm name="ApplicationRealm">
<!--authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication-->
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>
<module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>
<module-option name="java.naming.security.authentication" value="simple"></module-option>
<module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="bindCredential" value="password"></module-option>
<module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="baseFilter" value="(uid={0})"></module-option>
<module-option name="principalDNPrefix" value="uid="></module-option>
<module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="roleFilter" value="(member={1})"></module-option>
<module-option name="roleAttributeID" value="cn=jboss_user"></module-option>
<module-option name="uidAttributeID" value="member"></module-option>
<module-option name="roleAttributeIsDN" value="false"></module-option>
<module-option name="searchTimeLimit" value="5000"></module-option>
<module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>
</login-module>
</authentication>
</security-realm>
Jboss JNDI Resource for applications to access directory services
<security-domain name="jboss_ldap_domain" type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"></module-option>
<module-option name="java.naming.provider.url" value="ldap://serverIp:389"></module-option>
<module-option name="java.naming.security.authentication" value="simple"></module-option>
<module-option name="bindDN" value="uid=bind_account,cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="bindCredential" value="password"></module-option>
<module-option name="baseCtxDN" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="baseFilter" value="(uid={0})"></module-option>
<module-option name="principalDNPrefix" value="uid="></module-option>
<module-option name="principalDNSuffix" value="cn=users,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="rolesCtxDN" value="cn=groups,cn=accounts,dc=nas2,dc=i-edo,dc=net"></module-option>
<module-option name="roleFilter" value="(member={1})"></module-option>
<module-option name="roleAttributeID" value="cn"></module-option>
<module-option name="uidAttributeID" value="member"></module-option>
<module-option name="roleAttributeIsDN" value="false"></module-option>
<module-option name="searchTimeLimit" value="5000"></module-option>
<module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>
</login-module>
</authentication>
</security-domain>
Here are my questions:
1. How to I secure the txn-recovery-environment and txn-status-manager for my monitoring applications?
2. Securing security-realm name="ApplicationRealm" wont require all application access (deployed webapps,sites,resources) to be authenticated will it?
3. Is this the correct method of dictating what group a user needs to be in to access a LDAP secured feature? If not how do I set the group name?
<module-option name="roleAttributeID" value="cn=jboss_user"></module-option>
4. I pulled this from here => https://community.jboss.org/wiki/JBossLDAPAuthenticationWithJAAS?_sscc=t
<module-option name="roleFilter" value="(member={1})"></module-option>
Everywhere else I am using roleSearch="(member={0})", not member=1. What is the difference?
5. Is there a simpler way to lock down toManagement and portal access since I am already configuring the security realm elsewhere or do I need the full <authentication /> section for each component?
6. <module-option name="searchScope" value="ONELEVEL_SCOPE"></module-option>
I need to search subtree. What does this do exactly and would it prevent that?
Thanks in advance for any and all help or suggestions. I have had issues finding documentation for this specifically for AS 7.
<<<UPDATE>>>
Startup Failure from this config
14:32:25,714 ERROR [org.jboss.as.controller] JBAS014601: Error booting the container: java.lang.RuntimeException: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:161) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
Caused by: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:125) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:187) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.server.ServerService.boot(ServerService.java:261) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
... 1 more
Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[41,21]
Message: JBAS014789: Unexpected element '{urn:jboss:domain:1.1}login-module' encountered
at org.jboss.as.controller.parsing.ParseUtils.unexpectedElement(ParseUtils.java:85) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.domain.management.parsing.ManagementXml.parseAuthentication_1_1(ManagementXml.java:526) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealm_1_1(ManagementXml.java:312) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealms(ManagementXml.java:247) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:130) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_1(StandaloneXml.java:324) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:126) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:100) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:117) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
... 4 more
14:32:25,734 INFO [org.jboss.as] JBAS015950: JBoss AS 7.1.0.Final "Thunder" stopped in 8ms