-
1. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
dlofthouse Feb 18, 2013 8:41 AM (in response to wesleydstrickland)It looks like the security realm for the remote connection is still configured to use the properties file - you need to reconfigure this to delegate to your JAAS domain.
-
2. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
wesleydstrickland Feb 18, 2013 1:48 PM (in response to dlofthouse)TThanks for your reply Darran!
I have tried that as well without any luck. A little more information about our setup and how we are connecting from the client... We have the following code to get the remote object from the client:
props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
props.put(Context.PROVIDER_URL,"remote://localhost:4447");
props.put(Context.SECURITY_PRINCIPAL, user);
props.put(Context.SECURITY_CREDENTIALS, password);
props.put("jboss.naming.client.ejb.context", true);
//Get the reference to remote object
Context ctx = new InitialContext(props);
siteSec = (SiteSecurityRemote)ctx.lookup("TargetManagementApplication/SiteSecurityBeans/SiteSecurity!com.gdais.maas.prototype.ejb.SiteSecurityRemote");
In that code the user/password have been added to the ApplicationRealm using the adduser.bat script and this seems to work fine to get the InitialContext. If I switch the remoting-connector to use the Ldap realm, I immediately get a failure message on the client and no error messages in the server log:
Feb 18, 2013 10:38:15 AM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
If I leave the remoting-connector using the ApplicationRealm, I get the InitialContext with no issues. The first time I try to invoke a method from the client using this object, "siteSec", it then seems to invoke the Ldap security domain and produce the stack trace that I attached to my original message.
To force the first EJB call to use the "LDAP" security domain, we have added a jboss-ejb3.xml file into our deployed ear that looks like the following:
<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="urn:clustering:1.0"
xmlns:s="urn:security"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
version="3.1"
impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>LDAP</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
In standalone.xml I have added the "LDAPRealm" security realm:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="LDAPRealm">
<authentication>
<jaas name="LDAP"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
My security subsystem in standalone.xml looks like this:
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="LDAP" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://<ip address>:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo"/>
<module-option name="bindCredential" value="Password1!"/>
<module-option name="baseCtxDN" value="OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo"/>
<module-option name="rolesCtxDN" value="OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="defaultRole" value="maas-users"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
I was hoping to leave the remoting-connector set to the ApplicationRealm as a way to debug the LDAP configuration since this was the only way I could get it to seemingly actually invoke the LDAP login module. I am not sure if mixing the two is even allowed?
Thanks for your help!!
-Wes
-
3. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
wesleydstrickland Feb 18, 2013 2:45 PM (in response to wesleydstrickland)Another interesting test, is if I explicitly put in the username I am attempting to authenticate in LDAP directly into the baseFilter I get much farther in the stack trace. So as a test, attempting to authenticate as user with username 'alluser' if I put in the following in standalone.xml:
<module-option name="baseFilter" value="(sAMAccountName=alluser)"/>
<module-option name="roleFilter" value="(sAMAccountName=alluser)"/>
The stack trace seems to make it farther. It is as if the password is not being propagated all the way to the LdapExtLoginModule for some reason? Or maybe even the Principal itself isn't being grabbed correctly.
11:35:04,752 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) Begin isValid, principal:3fc70f76-0594-4a72-856d-e444e6c1c721, cache entry: null
11:35:04,753 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) defaultLogin, principal=3fc70f76-0594-4a72-856d-e444e6c1c721
11:35:04,755 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) Begin getAppConfigurationEntry(LDAP), size=4
11:35:04,760 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) End getAppConfigurationEntry(LDAP), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=defaultRole, value=maas-users
name=baseFilter, value=(sAMAccountName=alluser)
name=bindDN, value=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo
name=rolesCtxDN, value=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo
name=roleNameAttributeID, value=cn
name=Context.REFERRAL, value=follow
name=roleRecursion, value=2
name=baseCtxDN, value=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=roleFilter, value=(sAMAccountName=alluser)
name=java.naming.provider.url, value=ldap://10.112.200.154:389
name=bindCredential, value=****
name=roleAttributeIsDN, value=true
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=memberOf
name=throwValidateError, value=true
11:35:04,767 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) initialize
11:35:04,767 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Security domain: LDAP
11:35:04,768 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) login
11:35:04,769 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Logging into LDAP server, env={throwValidateError=true, Context.REFERRAL=follow, baseFilter=(sAMAccountName=alluser), allowEmptyPasswords=false, defaultRole=maas-users, java.naming.security.credentials=***, jboss.security.security_domain=LDAP, java.naming.security.authentication=simple, baseCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, roleAttributeIsDN=true, rolesCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, java.naming.security.principal=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, searchScope=SUBTREE_SCOPE, roleRecursion=2, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(sAMAccountName=alluser), roleNameAttributeID=cn, java.naming.provider.url=ldap://10.112.200.154:389, roleAttributeID=memberOf, bindDN=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, bindCredential=***}
11:35:04,787 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Logging into LDAP server, env={throwValidateError=true, Context.REFERRAL=follow, baseFilter=(sAMAccountName=alluser), allowEmptyPasswords=false, defaultRole=maas-users, java.naming.security.credentials=***, jboss.security.security_domain=LDAP, java.naming.security.authentication=simple, baseCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, roleAttributeIsDN=true, rolesCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, java.naming.security.principal=CN=alluser,OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, searchScope=SUBTREE_SCOPE, roleRecursion=2, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(sAMAccountName=alluser), roleNameAttributeID=cn, java.naming.provider.url=ldap://10.112.200.154:389, roleAttributeID=memberOf, bindDN=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, bindCredential=***}
11:35:04,808 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Bad password for username=3fc70f76-0594-4a72-856d-e444e6c1c721: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_07] at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_07] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_07] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_07] at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_07] at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_07] at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:655) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.LdapExtLoginModule.bindDNAuthentication(LdapExtLoginModule.java:511) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:438) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:312) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_07] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_07] at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_07] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_07] at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_07] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:306) [jboss-as-security-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:272) [jboss-as-security-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:74) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at com.gdais.maas.prototype.ejb.SiteSecurityLocal$$$view2.getValidLabelValues(Unknown Source) [SiteSecurityBeansClient.jar:] at com.gdais.maas.prototype.ejb.TargetManagement.getTargetList(TargetManagement.java:149) [TargetManagementBeans.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_07] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_07] at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07] at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor. -
4. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
dlofthouse Feb 19, 2013 6:22 AM (in response to wesleydstrickland)In that code the user/password have been added to the ApplicationRealm using the adduser.bat script and this seems to work fine to get the InitialContext. If I switch the remoting-connector to use the Ldap realm, I immediately get a failure message on the client and no error messages in the server log:
Feb 18, 2013 10:38:15 AM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
To overcome this you need to configure the client to allow sending the password in the clear, try adding the following property for JNDI: -
props.setProperty("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
-
5. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
wesleydstrickland Feb 19, 2013 6:10 PM (in response to dlofthouse)Thanks for your reply Darran. It is working now with RMI, and adding that above property was one of the things that was needed. We also had to add the "Remoting" login-module to our LDAP security domain before the LdapExtended module to get things to work as well. So our standalone.xml security subsystem now looks like this:
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="LDAP" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://hopper.rd.ideas.gd-ais.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>
<module-option name="bindCredential" value="Password1!"/>
<module-option name="baseCtxDN" value="OU=Users,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="1"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
Thanks for all your help! Appreciate it!
-Wes