1 Reply Latest reply on Jul 28, 2015 8:19 AM by sandfurz

    Need help: Jboss EAP 6.4/7.5 access with Fat EJB3 Client using LDAP

    sandfurz Newbie

      Hi,

       

      I'm using Jboss EAP 6.4 and I want to access the server via a Java Swing Client which connects to the EJB3 on the server.

      So far I'm able to connect when the users are stored locally in application-user.properties etc. via the standard ApplicationRealm

       

      <security-realm name="ApplicationRealm">

                      <authentication>

                          <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                      <authorization>

                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                      </authorization>

      </security-realm>

       

      [..]

      <subsystem xmlns="urn:jboss:domain:remoting:1.2">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

      </subsystem>

       

      The client uses the jboss-ejb-client.properties and the user and password is set there:

       

      remote.connection.default.username=myuser

      remote.connection.default.password=mypassword

       

       

       

      Now I want to connect the JBoss to a LDAP server and the Client should authenticate again the users in that LDAP.

       

      I created a new security-realm:

       

      <security-realm name="LdapSecurityrealm">

                      <server-identities>

                          <ssl protocol="TLSv1">

                              <keystore path="admin.jks" relative-to="jboss.server.config.dir" keystore-password="pass" alias="alias"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <ldap connection="ldap_connection" base-dn="ou=people,dc=company,dc=eu">

                              <username-filter attribute="uid"/>

                          </ldap>

                      </authentication>

                      <authorization>

                          <ldap connection="ldap_connection">

                              <group-search group-name="SIMPLE" group-name-attribute="cn">

                                  <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=groups,dc=company,dc=eu" recursive="true">

                                      <membership-filter principal-attribute="uniqueMember"/>

                                  </group-to-principal>

                              </group-search>

                          </ldap>

                      </authorization>

      </security-realm>

      <outbound-connections>

                  <ldap name="ldap_connection" url="ldaps://ldap.company.eu:636" search-dn="uid=user,ou=people,dc=company,dc=eu" search-credential="secret"/>

      </outbound-connections>

       

       

      I changed the remoting subsystem:

       

      <subsystem xmlns="urn:jboss:domain:remoting:1.2">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="LdapSecurityrealm"/>

      </subsystem>

       

      And I expected this should work similar when providing the user/password via the jboss-ejb-client.properties files.

      But it's not working.

       

      Do I need an additional security-domain or what is missing here ?

       

      I hope you can help me.

       

      Many thanks

       

      kr

      Mark

       

      Message was edited by: M P OK, found the solution. In this case, the connection between Client and JBoss has to be SSL. jboss-ejb-clientSSL.properties: endpoint.name=client-endpoint remote.connections=default remote.connection.default.host=host remote.connection.default.port=4447 remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER remote.connection.default.username=user remote.connection.default.password=pass remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS=true remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true