0 Replies Latest reply on Jul 10, 2015 4:49 AM by danny1988

    JBoss EAP 6.1 LDAP Role Mapping Problem

    danny1988

      Hi,

       

      I am currently trying to integrate Active Directory authentication into my java application which is running on JBoss EAP 6.1.

      The LDAP connection works fine and authenticates however i'm struggling to figure out how to map the Groups the user is attached to in Active Directory to the Roles in the application.

       

      The group I have in Active Directory is called. GS_App_Teamleaders

       

      I have a group set in my web xml file as follows which holds the roles attached to the group:

      <security-constraint>
        <display-name>TeamLeaders</display-name>
        <web-resource-collection>
         <web-resource-name>TeamLeaders</web-resource-name>
         <description>The reporting functionality</description>
         <url-pattern>/jsp/layout/useDisplayMIActionRequests.jsp</url-pattern>
         <url-pattern>/jsp/layout/useDisplayMIActionRequestsPrint.jsp</url-pattern>
         <url-pattern>/jsp/layout/useDisplayMIPostcodeBreakdown.jsp</url-pattern>
         <url-pattern>/jsp/layout/useDisplayMIPostcodeBreakdownPrint.jsp</url-pattern>
         <url-pattern>/jsp/layout/useDisplayMIPreferredDay.jsp</url-pattern>
         <url-pattern>/jsp/layout/useDisplayMIPreferredDayPrint.jsp</url-pattern>
         <http-method>GET</http-method>
         <http-method>PUT</http-method>
         <http-method>HEAD</http-method>
         <http-method>TRACE</http-method>
         <http-method>POST</http-method>
         <http-method>DELETE</http-method>
         <http-method>OPTIONS</http-method>
        </web-resource-collection>
        <auth-constraint>
         <role-name>TotalsReporter</role-name>
         <role-name>ReceivedReporter</role-name>
         <role-name>PostcodeReporter</role-name>
         <role-name>PremiumsReporter</role-name>
         <role-name>UnpaidsReporter</role-name>
         <role-name>ArrearsReporter</role-name>
         <role-name>PerformanceReporter</role-name>
         <role-name>TransactionsReporter</role-name>
        </auth-constraint>
       </security-constraint>
      

       

      In my standalone.xml file I have the following code which does authenticate via active directory just I am struggling to see how you can map an active directory group to a role in JBoss EAP.

      <security-domain name="ldap">
                          <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                <module-option name="java.naming.security.authentication" value="simple"/>
                <module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
                <module-option name="rolesCtxDN" value="OU=Users,OU=GroupFunctions,DC=domain,DC=com"/>
                <module-option name="roleAttributeID" value="memberOf"/>
                <module-option name="roleAttributeIsDN" value="true"/>
                <module-option name="roleNameAttributeID" value="cn"/>     
                <module-option name="uidAttributeID" value="member"/>
                <module-option name="matchOnUserDN" value="true"/>
                <module-option name="allowEmptyPasswords" value="false"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

       

      Can anyone help?

       

      Thanks!

       

      Dan