1 Reply Latest reply on Sep 22, 2014 6:00 AM by Dimitris Mouchritsas

    Picketlink IDP with LDAP Authentication

    Dimitris Mouchritsas Newbie

      Hi all,

      I'm new to picketlink and I'm trying to get accustomed to it. I installed the idp-basic and sp-basic quickstarts on wildfly and managed to login succesfully to sales-post up from the idp.

      However now I'm trying to connect the idp to an LDAP (Microsoft AD) server. What I think I should do is change the standalone.xml configuration like this:

      <security-domain name="idp" cache-type="default">
      <authentication>
      <!--<login-module code="UsersRoles" flag="required">-->
      <!--<module-option name="usersProperties" value="users.properties"/>-->
      <!--<module-option name="rolesProperties" value="roles.properties"/>-->
      <!--</login-module>-->
      <login-module code="AdvancedADLdap" flag="required">
      <module-option name="java.naming.provider.url" value="ldap://111.111.1111.111:389/"/>
      <module-option name="bindDN" value="cn=administrator,cn=users,dc=example,dc=com"/>
      <module-option name="bindCredential" value="123456"/>
      <module-option name="baseCtxDN" value="CN=Users,DC=EXAMPLE,DC=COM"/>
      <module-option name="baseFilter" value="(uid={0})"/>
      <module-option name="rolesCtxDN" value="CN=Group,CN=Schema,CN=Configuration,DC=EXAMPLE,DC=COM"/>
      <module-option name="roleFilter" value="(uniqueMember={1})"/>
      <module-option name="roleAttributeID" value="cn"/>
      </login-module>
      </authentication>

      </security-domain>

       

      Is the above configuration correct? Or should I use the idm-ldap quickstart? Also how to enable logging to check what is going on underneath?

      Essentially what I'd like to do is connect idp with MS AD for authentication and provide SSO to sales-post quickstart.

       

      Thank you.

        • 1. Re: Picketlink IDP with LDAP Authentication
          Dimitris Mouchritsas Newbie

          I have finally manged to make this work, with the following configuration:

          <security-domain name="idp" cache-type="default">

              <authentication>

                  <login-module code="org.jboss.security.negotiation.AdvancedADLoginModule" flag="required">

                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                      <module-option name="java.naming.provider.url" value="ldap://111.111.111.111:389"/>

                      <module-option name="java.naming.security.authentication" value="simple"/>

                      <module-option name="bindDN" value="cn=administrator,cn=users,dc=example,dc=com"/>

                      <module-option name="bindCredential" value="somepass"/>

                      <module-option name="baseCtxDN" value="CN=Users,DC=example,DC=com"/>

                      <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                      <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                      <module-option name="allowEmptyPasswords" value="false"/>

                      <module-option name="throwValidateError" value="true"/>

                      <module-option name="rolesCtxDN" value="CN=Users,DC=example,DC=com"/>

                      <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                      <module-option name="roleAttributeID" value="memberOf"/>

                      <module-option name="roleAttributeIsDN" value="true"/>

                      <module-option name="roleNameAttributeID" value="cn"/>

                      <module-option name="roleRecursion" value="1"/>

                  </login-module>

              </authentication>

          </security-domain>

           

          I also managed to see logs by adding:

                  <logger category="org.jboss.security">
                      <level name="TRACE"/>
                  </logger>

          in the appropriate section of standalone.xml which was very helpful.