0 Replies Latest reply on Sep 22, 2006 3:28 AM by zzzz8

    Stacking login modules or writing a custom login module?

    zzzz8 Newbie

      My company has two LDAP environments in use. One LDAP environment is used to authenticate users. The second LDAP environment is used to retrieve role information. I have already configured my first login module to authenticate a user (I'm using LdapExtLoginModule). However, I'm not sure how to configure the second login module to retrieve role information from the second LDAP environment. I'm using form authentication.

      Normally, I believe this would be fairly easy to use. However, the second LDAP environment that I need to access the role information is a bit unusual (at least in my opinion - however, I'm a newbie, so I may be wrong in my assessment). Normally, one would provide the username and then perform a role search based on that username. However, the second LDAP environment actually stores role information based on another attribute - a user ID number. This attribute is stored as an attribute on the first LDAP environment. However, how can one retrieve this user ID number attribute from the first LDAP environment and pass it to the next stacked login module (the second LDAP environment) for use in the search for roles.

      To make this a little more concrete, I have an example of what I want to happen:

      The user would login with a username and password on a web page. The LdapExtLoginModule would retrieve the username and password information, pass it to my first LDAP environment for binding, checking for the username/password combination. After the user is authenticated (if the username/password combination checks out), I would like to retrieve an attribute (user ID number) for that user. This user ID number would be passed to the second LDAP environment to be used in the search for user roles.

      Thus the user ID number is passed to the second LDAP environment and somehow used in a search. The second LDAP environment's schema is similar to the following (here's an example):


      So in this case, a group "role" has member 1234, 2345, and 3456. Thus, I have three users that have user ID numbers 1234, 2345, and 3456. There could be another role:


      In this case, we have another role but only a user with a user ID number of 1234 is a member of this role. Unfortunately, this schema in the second LDAP environment does not use usernames, but user ID numbers instead to identify the members of this role...

      With this situation, is it possible to stack the JBoss login modules to authenticate the user and retrieve role information for a user? Or do I have to write a custom login module to accomplish this? If so, how should I write the login module - e.g. extending an existing login module, etc.? I would really appreciate the help. Thanks!