2 Replies Latest reply on Nov 9, 2004 9:12 AM by Aaron Hawkins

    LdapLoginModule authenticates against active directory, but

    Aaron Hawkins Newbie

      I can authenticate against active directory using the jboss LdapLoginModule, however, there are no roles returned. I am able to use a different login module that doesn't use ldap to authenticate and authorize, but I would really like to use an ldap implementation. Any help would be welcome.

      Aaron Hawkins

        • 1. Re: LdapLoginModule authenticates against active directory,
          Aaron Hawkins Newbie

          Let me give you some more information.
          I have tried using the jboss ldaploginmodule with a tomcat jaas realm. I have been able to authenticate agains active directory, but the only group returned was Roles. From reading some jboss documentation, I think that the active directory groups are a subgroup to Roles. This seems to be specific to Jboss, because Tomcat isn't expecting the groups to be in a subgroup.

          So I've tried to use jboss completely to see if that would fix the problem. Now, I can authenticate, but there are no groups returned. Do I need to specify what implementation of userprinciple to use, like I did in the tomcat realm? I try to log into a protected directory and access is denied. Then I go to a jsp page that is unprotected that returns <%=request.getUserPrincipal()%> which only shows my username. So I dont understand why I can't access the group information. I'm using Form based authentication. Thanks

          • 2. Re: LdapLoginModule authenticates against active directory,
            Aaron Hawkins Newbie

            Here is my login-config.xml entry

            <application-policy name = "web-console">

            <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
            flag = "required">
            <module-option name="java.naming.provider.url">ldap://myserver/</module-option>
            <module-option name="rolesCtxDN">dc=asrs,dc=local</module-option>
            <module-option name="uidAttributeID">userPrincipalName</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">name</module-option>
            </login-module>

            </application-policy>