1 Reply Latest reply on Oct 8, 2015 12:56 PM by suman suman

    LDAP authentication using multiple groups

    Lucas van Braam van Vloten Newbie



      I am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4)


      Within my SecurityRealm I perform LDAP authentication against a Microsoft AD server to allow access to the JBoss Admin interface.


      My question is: is it possible to use more than one LDAP group for authentication, and how can it be configured?


      Further explanation:

      Using the configuration below I can authorize users to login to the JBoss Admin interface in the Active Directory, by making them a member of the "jbossadmins" group.


      However, I would like to use more than one group to authenticate users; for example, group 'linuxadmins' in addition to 'jbossadmins'.

      So that users will be allowed to login if they are a member of group "linuxadmins" OR a member of group "jbossadmins".


      I can think of the following approaches:

      - make group "linuxadmins" a member (nested group) of "jbossadmins"; however this does not work. members of "linuxadmins" can not log in to the Admin interface.

      The attribute "recursive=true" does not make a difference.

      - Add a second element "advanced-filter", but this is not allowed;

      - Use a different method to authenticate against LDAP, for example PAM and/or SSSD (don't know if possible / how)


      Any ideas would be appreciated!


      My current configuration works perfectly, but I can only use group "jbossadmins" and no nested groups:




          <security-realm name="ManagementRealm">


              <ldap connection="ldap_connection" base-dn="CN=Users,DC=ACME,DC=COM" recursive="true">

                <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=jbossadmins,CN=Users,DC=acme,DC=com))"/>







          <ldap name="ldap_connection" url="ldaps://ldapserver1.acme.com:636 ldaps://ldapserver2.acme.com:636" search-dn="cn=adreader,cn=users,dc=acme,dc=com" search-credential="SecretPassword"/>





      Kind regards,