0 Replies Latest reply on Aug 23, 2012 10:01 AM by Ranieri Mazili

    Active Directory authentication - Only group member can login

    Ranieri Mazili Newbie

      Hello,

       

      I'm using jboss 4.0.5 and I need to setup the Active Directory integration to make possible users of AD authenticate in JBoss application...

      This step is OK, I have the users being authenticated with AD integration, but I need to filter a little bit more...

       

      My User base is on OU=User, OU=Accounts, DC=example, DC=com

       

      Now, I need that only users that are members of "BPMPortal" group could pass in the authentication.

       

      How could I do that using login-config.xml ?

       

      To make only the integration work, I'm using the configuration below: (what do I need to change to make it filter group members)

       

       

      <login-module flag="optional" code="org.jboss.security.auth.spi.LdapExtLoginModule">

      <module-option name="java.naming.provider.url">ldap://SAOS111021:389/</module-option>

      <module-option name="bindDN">CN=myuser, OU=User, OU=Accounts, DC=example, DC=com</module-option>

      <module-option name="bindCredential">mypassword</module-option>

      <module-option name="baseCtxDN">OU=User, OU=Accounts, OU=SAO, DC=am, DC=rabonet, DC=com</module-option>

      <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="roleFilter">(member={1})</module-option>

      <module-option name="rolesCtxDN">OU=Groups, OU=Accounts, DC=example, DC=com</module-option>

      <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="password-stacking">useFirstPass</module-option>

      <module-option name="java.naming.referral">follow</module-option>

      <module-option name="allowEmptyPasswords">false</module-option>

      <module-option name="twUserFilter">(objectClass=person)</module-option>

      <module-option name="twGroupFilter">(objectClass=group)</module-option>

      <module-option name="twUserNameAttribute">sAMAccountName</module-option>

      <module-option name="twGroupNameAttribute">cn</module-option>

      <module-option name="twUserDescriptionAttribute">description</module-option>

      <module-option name="twGroupDescriptionAttribute">description</module-option>

      <module-option name="twGroupMemberAttribute">member</module-option>

      <module-option name="twUserFilter">(objectClass=person)</module-option>

      <module-option name="twGroupFilter">(objectClass=group)</module-option>

      <module-option name="twUserNameAttribute">sAMAccountName</module-option>

      <module-option name="twUserPrimaryGroupAttribute">primaryGroupID</module-option>

      <module-option name="twGroupNameAttribute">cn</module-option>

      <module-option name="twGroupDNAttribute">distinguishedName</module-option>

      <module-option name="twGroupPrimaryGroupTokenAttribute">primaryGroupToken</module-option>

      <module-option name="twUserDescriptionAttribute">cn</module-option>

      <module-option name="twGroupDescriptionAttribute">description</module-option>

      <module-option name="twGroupMemberAttribute">member</module-option>

      </login-module>

       

      I appreciate any help