jboss ldap search.
np97190 Jan 21, 2016 1:35 AMHi All,
Can anyone help me to resolve a use case:
I am running jbpm in jboss wildfly 8 and this is configured to use active directory authentication:
following is the configuration :
<security-domain name="jbpm_ldap_domain">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://serverIP"/>
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindDN" value="CN=Administrator,CN=Users,DC=domain,DC=com"/>
<module-option name="bindCredential" value="secretpass"/>
<module-option name="baseCtxDN" value="OU=MYOU,DC=domain,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="ou=MYOU,dc=,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
<login-module code="RoleMapping" flag="optional">
<module-option name="rolesProperties" value="file:${jboss.home.dir}/standalone/configuration/jbpm-roles.properties"/>
<module-option name="replaceRole" value="true"/>
</login-module>
</authentication>
</security-domain>
jbpm-roles.properties:
BPM_ADMIN=admin
BPM_ANALYST=analyst
BPM_DEVELOPER=developer
BPM_USER=user
BPM_MANAGER=manager
So as of now I am scanning a specific OU for roles and user scanning.
I want to do it the following way:
1. Scan complete domain for users.
2. scan role group in an OU.
3. user with specific group membership should get admin rights (BPM_ADMIN=admin)
4. rest all users should have 'user' role.
I do not want to add all users to a group to get them 'user' role in jbpm instead I want to set the default role as 'user' and if I need to grant 'admin' role I will add the user to the group i have defined for admin users in AD (BPM_ADMIN=admin)
How can this be achieved.