1 Reply Latest reply on Nov 16, 2012 9:01 AM by Josef Cacek

    Using LdapExtLoginModule without Roles as separate objects in the directory

    Andrew Cheung Newbie

      Hi. I'm trying to configure the security domain for my web application. Our users are stored in eDirectory, so I'll be using the org.jboss.security.auth.spi.LdapExtLoginModule. All the examples I found from the documentation and the internet all have the roles as a separate object in the tree. In my case, the role is an attribute in the user object (namely, the attribute "employeetype" in the following examples:

       

       

      dn=cn=johndoe,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: sales

      cn: johndoe


      dn=cn=ssmith,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: manager

      cn: ssmith

       

       

      My setup is : JBoss EAP5.2.

       

      My question is: how should I configure the security domain in login-config.xml? I have the following currently, but it always says that "Bad password for username=johndoe". (But I know the password I entered is correct by logging it as this user using jexplorer).

       

      Here is my configuration in login-config.xml :

       

      <application-policy name="myapp">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                     <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                     <module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
                     <module-option name="java.naming.security.authentication">simple</module-option>
                     <module-option name="java.naming.referral">follow</module-option>
                     <module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>
                     <module-option name="bindCredential">hello123</module-option>
                     <module-option name="baseCtxDN">ou=Canada,o=com</module-option>
                     <module-option name="baseFilter">(cn={0})</module-option>

                     <module-option name="rolesCtxDN">ou=Canada,o=com</module-option>

                       <module-option name="userRolesCtxDNAttributeName">employeetype</module-option>
                     <module-option name="roleAttributeIsDN">false</module-option>
                     <module-option name="roleRecursion">3</module-option>
                     <module-option name="searchTimeLimit">10000</module-option>
                     <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                     <module-option name="allowEmptyPasswords">false</module-option>
                     <module-option name="defaultRole">8</module-option>
                 
                </login-module>
      </authentication>
      </application-policy>

       

      ----------------

      In my web application, jboss-web.xml :


      <jboss-web>

         <security-domain>myapp</security-domain>

      </jboss-web>

       

       

      -----------------

      web.xml :

       

      .....

      <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>My Application</realm-name>

        <form-login-config>

         <form-login-page>/jsp/login.jsp</form-login-page>

         <form-error-page>/jsp/login-error.jsp</form-error-page>

        </form-login-config>

      </login-config>

      ....

       

      Any help is appreciated.

       

        -Andrew

        • 1. Re: Using LdapExtLoginModule without Roles as separate objects in the directory
          Josef Cacek Newbie

          Cross posted from the LdapExtLoginModule Wiki comments:

          Try this configuration:

           

          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                    <module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
                    <module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>
                    <module-option name="bindCredential">hello123</module-option>
                    <module-option name="baseCtxDN">ou=Canada,o=com</module-option>
                    <module-option name="baseFilter">(cn={0})</module-option>
                    <module-option name="rolesCtxDN">ou=Canada,o=com</module-option>
                    <module-option name="roleFilter">(cn={0})</module-option>
                    <module-option name="roleAttributeID">employeetype</module-option>
          </login-module>