3 Replies Latest reply on Jun 13, 2005 11:32 PM by Jed Danner

    LDapLoginModule and Active Directory

    Dan Tauber Newbie

      I have an application that uses LdapLoginModule to authenticate against a LDAP server. I've successfully set it up to authenticate against openLDAP and Domino, but am having no luck configuring it to work with Active Directory.

      I can bind to the Active Directory using an ldapsearch command like:

      ldapsearch -H ldap://10.0.1.4:389 -W -x -D "dtauber@VASoftware.local" -b cn=Users,dc=VASoftware,dc=local


      My login-config.xml file includes the following:


      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://10.0.1.4:389</module-option>
      <module-option name="rolesCtxDN">CN=Users,DC=VASoftware,DC=local</module-option>
      <module-option name="principalDNSuffix">@VASoftware.local</module-option>
      <module-option name="matchOnUserDN">false</module-option>
      <module-option name="uidAttributeID">sAMAccountName</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleNameAttributeID">name</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      </login-module>


      I've also tried variations on the above, including with and without the @VASoftware.local suffix on the DN and both sAMAccountName and userPrincipalName for the uidAttribute ID.

      The Active Directory on in my test environment is pretty straight forward -- basically it is the way it was originally crated, with a few users added.

      Thanks,

      Dan

        • 1. Re: LDapLoginModule and Active Directory
          sandipan shandilya Newbie

          Hi,

          I am facing the similar problem. Have you got any luck.

          Thanks

          • 2. Re: LDapLoginModule and Active Directory
            Jed Danner Newbie

            I couldn't get this to work on JBoss 3.x.

            I recently upgraded to 4.0.2 and changed the line above from:

            <module-option name="roleAttributeIsDN">false</module-option>

            To 'true' instead of false. This is because the 'memberOf' is a DN under the user DN.

            Things are working for me. Hope this helps!

            -Jed

            • 3. Re: LDapLoginModule and Active Directory
              Jed Danner Newbie

              I just tried this in JBoss 3.2.6, it works as well as in 4.0.2:

              <application-policy name="ApplicationModuleName">

              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
              <module-option name="java.naming.provider.url">ldap://192.168.1.1:389</module-option>
              <module-option name="rolesCtxDN">CN=Users,DC=MyCompany,DC=com</module-option>
              <module-option name="principalDNSuffix">@MyCompany.com</module-option>
              <module-option name="matchOnUserDN">false</module-option>
              <module-option name="uidAttributeID">sAMAccountName</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">name</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="allowEmptyPasswords">false</module-option>
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              </login-module>

              </application-policy>


              For this I just login with my username (no domain name).

              Good Luck!

              -Jed