8 Replies Latest reply on Sep 11, 2012 10:25 AM by Robert Brendler

    Mapping ldap groups to jboss roles? where?

    d b Newbie

      hi, i am trying to use active directory together with jboss.

      I am getting authenticated via ldap fine, but it gives me a 403 since it says i do not have the correct role.

      I cannot figure out where the mapping from the ldap groups to the jboss roles should take place.

      In my web.xml i have got

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/myprotectedarea/*</url-pattern>
      <!-- If you list http methods, only those methods are protected -->
      </web-resource-collection>
      <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>MyRole</role-name>
      </auth-constraint>
      </security-constraint>

      <security-role>
      The Only Secure Role
      <role-name>MyRole</role-name>
      </security-role>


      How do I map that role-name to the group in ldap?
      I have the same name for the role as the group, but I assume I need to do a mapping somewhere for it, but where and how should I do that?

        • 1. Re: Mapping ldap groups to jboss roles? where?
          Richard Schuller Newbie

          How did you define your Active Directory connection?

          • 3. Re: Mapping ldap groups to jboss roles? where?
            d b Newbie

            thanks for the replies,

            I have read those pages (and all other information I could find)...
            Am I wrong in assuming that I need to do a mapping of my group names in active directory to the role names defined in web.xml?

            this is my login-config.xml

            <application-policy name = "ldap">

            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://somedomain.com:389/</module-option>
            <module-option name="java.naming.security">simple</module-option>
            <module-option name="bindDN">username@domain.com</module-option>
            <module-option name="bindCredential">PASSWORD</module-option>
            <module-option name="baseCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="rolesCtxDN">OU=AllCorporateGroups,DC=DOMAIN,DC=COM</module-option>
            <module-option name="roleFilter">(member={0})</module-option>
            <module-option name="roleAttributeIsDN">cn</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
            <module-option name="roleRecursion">-1</module-option>
            </login-module>

            </application-policy>

            • 4. Re: Mapping ldap groups to jboss roles? where?
              d b Newbie

              hm, had some errors in the above config please ignore it,as far as I can see the code below should be correct
              it still does not work though, same problem: I get authenticated but it says that I do not have the specified role.

              <application-policy name = "ldap">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
               <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
               <module-option name="java.naming.provider.url">ldap://somedomain.com:389/</module-option>
               <module-option name="java.naming.security">simple</module-option>
               <module-option name="bindDN">username@domain.com</module-option>
               <module-option name="bindCredential">password</module-option>
               <module-option name="baseCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
               <module-option name="baseFilter">(sAMAccountName={0})</module-option>
               <module-option name="rolesCtxDN">OU=AllCorporateGroups,DC=DOMAIN,DC=COM</module-option>
               <module-option name="roleFilter">(member={1})</module-option>
               <module-option name="roleAttributeIsDN">true</module-option>
               <module-option name="roleAttributeID">memberOf</module-option>
               <module-option name="roleNameAttributeID">cn</module-option>
               <module-option name="roleRecursion">-1</module-option>
               </login-module>
               </authentication>
               </application-policy>
              


              • 5. Re: Mapping ldap groups to jboss roles? where?
                d b Newbie

                works now, had to change the above config to

                ...
                <module-option name="rolesCtxDN">OU=All Users,DC=DOMAIN,DC=COM</module-option>
                <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                ...
                


                • 6. Re: Mapping ldap groups to jboss roles? where?
                  Jaco Joubert Newbie

                  I'm glad you solved the roles problem in your configuration.

                  With this configuration, you are mapping your groups in LDAP directly to the security roles configured in your JBoss deployments. This means that you are effectively using the same group / role names.

                  Does anyone know if it's possible to map your LDAP (or whichever auth store you use) groups to different role names in JBoss.

                  Let's say I have a group called "Administrators" in my LDAP store, but I want to use a role named "app-admin" in my deployed applications. All users in the "Administrators" group should be mapped to "app-admin" for J2EE security purposes.

                  Is there a standard way of doing this mapping, or should I do it in a custom way with my own LoginModule?

                  • 7. Re: Mapping ldap groups to jboss roles? where?
                    Jaco Joubert Newbie

                    I think my role mapping question is basically answered by this thread: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=77709

                    Seems like I'll have to do this mapping myself, as the spec is not clear on this.

                    • 8. Re: Mapping ldap groups to jboss roles? where?
                      Robert Brendler Newbie

                      d b's config works for me, thank you!