Using LdapExtLoginModule without Roles as separate objects in the directory
Hi. I'm trying to configure the security domain for my web application. Our users are stored in eDirectory, so I'll be using the org.jboss.security.auth.spi.LdapExtLoginModule. All the examples I found from the documentation and the internet all have the roles as a separate object in the tree. In my case, the role is an attribute in the user object (namely, the attribute "employeetype" in the following examples:
dn=cn=johndoe,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: sales
cn: johndoe
dn=cn=ssmith,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: manager
cn: ssmith
My setup is : JBoss EAP5.2.
My question is: how should I configure the security domain in login-config.xml? I have the following currently, but it always says that "Bad password for username=johndoe". (But I know the password I entered is correct by logging it as this user using jexplorer).
Here is my configuration in login-config.xml :
<application-policy name="myapp">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>
<module-option name="bindCredential">hello123</module-option>
<module-option name="baseCtxDN">ou=Canada,o=com</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">ou=Canada,o=com</module-option>
<module-option name="userRolesCtxDNAttributeName">employeetype</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">3</module-option>
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="defaultRole">8</module-option>
</login-module>
</authentication>
</application-policy>
----------------
In my web application, jboss-web.xml :
<jboss-web>
<security-domain>myapp</security-domain>
</jboss-web>
-----------------
web.xml :
.....
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
....
Any help is appreciated.
-Andrew
