3 Replies Latest reply on Jan 24, 2006 4:57 PM by adam bickford

    authentication via ldap and role via database.

    alexande russel Newbie

      I set up jboss so it check password with my LDAP. Now I want it to get the user role in a database but only the role(not checking the password once again because password are only stored in the LDAP).
      How can I do that?
      alex

        • 1. Re: authentication via ldap and role via database.
          alexande russel Newbie

          trying to be clearer the doc chapter 8.4.6.3 says:
          It's often the case that a local LDAP server provides identity and authentication services but is unable to use the authorization services. This is because application roles don't always map well onto LDAP groups, and LDAP administrators are often hesitant to allow external application-specific data in central LDAP servers. For this reason, the LDAP authentication module is often paired with another login module, such as the database login module, that can provide roles more suitable to the application being developed.

          but chapter 8.4.6.4 says about the databaseLoginModule:
          You would use this login module if you have your username, password and role information relational database
          My question:
          How can I use the databaseLoginModule just to retrieve role or what module should I use to do so? I don't have the password in the database.
          thanks in advance for help, link or anything usefull.

          • 2. Re: authentication via ldap and role via database.
            Joris Wijlens Newbie

            I'm not an expert but, I think you have to write your own custom loginmodule and after you have authenticated with LDAP call the database for the roles with the user id.

            Regards,

            Joris Wijlens

            • 3. Re: authentication via ldap and role via database.
              adam bickford Newbie

              I came across the same documentation and it sounds like these modules could be chained togeter to achive this functionality. So far I have not been successful in getting this to work. I'd hate to write a custom LoginModule out of ignorance of what is already in place. It seems like there would be a standard solution/best practice for this usecase.

              From what I've found, as long as the username/password are the same in both LDAP and the DB, you are fine. If they don't match, you are out of luck. Is there a way, short of hacking the source code, to get the DatabaseServerLoginModule to ignore the password/principalsQuery and just add the roles that match the userID previously authenticated by LDAP? Or is what I'm asking dangerous and not supported?

              adam