-
2. Re: How to set up SSO in JBoss DV EAP 6.3 ?
Hi ramesh ,
Thank you for replying.
I have read the document but I have some doubt.
actually ,I have a server principal <abc.mycompany.com> along with its pw.I have MIT kerberos client installed to get ticket for this particular user.
I have .keytab file associated with this user.Till now what I did is ------
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc"/>
<authentication security-domain="teiid-security" krb5-domain="host"/>
</transport>
----------------------------------------
<security-domain name="host">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal"
value="host/abc@mycompany.com"/> <!-- service principal -->
<module-option name="keyTab" value="/path/to/service.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
----------------------------------------
<security-domain name="mycompany">
<authentication>
<!-- Check the username and password -->
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
<!-- Search for roles -->
<login-module code="UserRoles" flag="requisite">
<module-option name="password-stacking" value="useFirstPass" />
<module-option name="usersProperties" value="spnegousers.
properties" />
<module-option name="rolesProperties" value="spnegoroles.
properties" />
</login-module>
</authentication>
</security-domain>
Now My doubt is there has to be a outbound connection to LDAP right ?? So that the roles can be fetched.I could not find any authorization module having LDAP configuration.How authentication is done if I dont use LDAP configuration along with role search pattern.
Please let me know if any point I am wrong.as well as whether the modification in the standalone.xml is correct or not.
Thank you
Debashish Saha
-
3. Re: How to set up SSO in JBoss DV EAP 6.3 ?
Debashish,
The concern of LDAP being is used ss behind Kerberos configuration. i.e. kerberos is supported over Active Directory, MIT Kerberos server etc, the configuration for that exists there. In the above it lets you assign the additional roles using the properties file. IMO, you can also configure LDAP security domain also for roles with little variation of 4.3. LDAP Based Authentication Module - Red Hat Customer Portal
But that is something I never tried, and beyond scope of this thread. Here we are saying authenticate using kerberos and use LDAP for roles. If you go directly authenticate with LDAP, the role information can be read.
Ramesh..
-
4. Re: How to set up SSO in JBoss DV EAP 6.3 ?
the screenshot is taken from the link mentioned here.
Can you please tell me what would be login module name in the document that you have provided.I doubt it to be" AdvancedAdLdap".If I am right can you please let me know what would be the parameters for writing up the module in case of AdvancedAdLDAP.
-
5. Re: How to set up SSO in JBoss DV EAP 6.3 ?
Yes you would use AdvancedAdLdap. To do the chaining of authentication mentioned in Chapter 16. Login Modules you need the bindAuthentication set to GSSAPI and the jaasSecurityDomain to reference the KerberosLoginModule security domain.
