I am no expert in fact I am a newbie :-) but I have been able to authenticate against Active directory with the browseldapmodule. If you search the forums you can find info on it. You will have to download it and deploy it.
To authenticate with a login username of user1, a principalDNPrefix='uid=' and a principalDNSuffix='ou=Group1,ou=People,dc=mycompany,dc=com' is required. Configurations based on users is not supported by the LdapLoginModule so your schema is not supported since users are not under a single context.
Thanks for reply.
I did not think, that jboss-code such not flexible
This seems to come up fairly frequently when using Active Directory. Not sure why, maybe because admins are encouraged to sub-container users for group policy assignment?
I believe most people solve this by writing their own login module, which JBoss makes very easy. But considering that JBoss already provides an LDAP login module that does almost everything needed, it seems like it might be a good idea to make a small change to this provides module to support a search scope extending below the starting container.
For example, replace line 312 of the org.jboss.security.auth.spi.LdapLoginModule in JBoss AS 4.0.2 with:
SearchControls ctls = new SearchControls(); ctls.setReturningAttributes(roleAttr); ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); String filter = "(" + uidAttrName +"=" + username + ")"; NamingEnumeration answer = ctx.search(rolesCtxDN, filter, ctls);
Then, the LdapLoginModule could be used out-of-box with Active Directory even when users are placed in containers under the Users (or People, etc.) container.