3 Replies Latest reply on Aug 29, 2014 6:53 AM by Darran Lofthouse

    JBoss + LDAP (Active Directory)

    Arne Ewald Newbie

      Hi,

      i try to connect the JBoss to our Active Directory for authentication. It should be the first step to authenticate the Management console against the ldap before the next steps to secure web applications with spnego ans so on.

      So i do like in this article LDAP Security Realm Examples | JBoss Developer.

       

      With the following:

       

      <security-realm name="LDAPRealm">
      <authentication>
      <ldap connection="ldap_connection" base-dn="OU=User,DC=xxx,DC=xx,DC=xxx">
      <!--<username-filter attribute="sAMAccountName"/>-->
      <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=a_group,OU=User,DC=xxx,DC=xx,DC=xxx))"/>
      </ldap>
      </authentication>
      </security-realm>
      

       

      The  authentication works fine with the username-filter but then logically all users in the whole AD can authenticated to use the Management console. Then i try to use the advanced-filter Tag without success. I do not know how to change attribute to give only one AD-Group the possibillity to authenticate, for example  as i tried for the group a_group as foillows:

       

      a_group is a subgroup of OU=sub_groups

      sub_groups is a subgroup of OU=our_groups

      our_groups is like the OU=Users on the same level.

       

      Is this the right place to do it? In the article you can read about the authorization tag but i do not know the sense of it because there is no example where you authorize only a group or a ressource.

       

      I hope i could describe my problem.

        • 1. Re: JBoss + LDAP (Active Directory)
          Darran Lofthouse Master

          You would be better off using a later EAP release preferably EAP 6.3 where group loading from LDAP is possible - at that point you can then enable group loading from LDAP along with access control to restrict which groups are authorized to access the management API.

          • 2. Re: JBoss + LDAP (Active Directory)
            Arne Ewald Newbie

            Hi,

             

            thank you for your answer but i think then another Problem would pop up because the documentation at this point i more than poor and frustrating. I cannot find even documentation nor complete examples. For example in the doucumentation for EAP 6.3 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/Security_Guide/About_Author… you have the authorization tag but before and after there is not about the authentication tag. Do i need it or is the authentication part of the authorizatiion. And where is the restriction to only one AD Group.

             

            Do you have an idea if my approach have mistake in the Syntax

             

            <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=a_group,OU=User,DC=xxx,DC=xx,DC=xxx))"/>

             

            I cannot imagine that this is right because i tell over base-dn sttribute where the users are, do i have to place in the filter where the gorups are. Sorry for question but i am not a AD specialist.

             

            In addition i would try EAP 6.3. Perhaps someone have an example? 

            • 3. Re: JBoss + LDAP (Active Directory)
              Darran Lofthouse Master

              The authorization tag is after the authentication tag - the schemas are included with the distribution you are using.

               

              The authentication element defines how we verify the remote user is who they say they are, the authorization tag then defines how we load additional information about that user to use for authorization decisions.