0 Replies Latest reply on Apr 10, 2007 5:10 PM by Doug Barker

    authentication and roles from 2 different ldap servers?

    Doug Barker Newbie

      I'm wondering if it is possible to authenticate users against one ldap server, but then obtain roles for the same user from a different ldap server. The passwords in these two ldap servers are different. The first ldap server has the correct password, but only the second ldap server has the correct role information

      I have tried to set this up using a login-config.xml file that has been excerpted below.
      If I use only the first login-module, I get authenticated properly, but the application does not get the necessary roles. When I include both login-modules I get what appears to be a password failure no matter which password (ldap1 or ldap2) that I use.

      Does anyone know if this is possible and how to do it?

      Thanks, Doug

       <application-policy name="AppName">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://ldap1.domain.com:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,cn=users,dc=domain,dc=com</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name="java.naming.provider.url">ldap://ldap2:389</module-option>
       <module-option name="bindDN">uid=admin,ou=people,dc=domain,dc=com</module-option>
       <module-option name="bindCredential">adminapassword</module-option>
       <module-option name="baseCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
       <module-option name="roleFilter">(uid={0})</module-option>
       <module-option name="roleAttributeID">nsRoleDN</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
       </login-module>
       </authentication>
      </application-policy>