0 Replies Latest reply on Apr 10, 2007 5:10 PM by dbarker

authentication and roles from 2 different ldap servers?

dbarker Apr 10, 2007 5:10 PM

I'm wondering if it is possible to authenticate users against one ldap server, but then obtain roles for the same user from a different ldap server. The passwords in these two ldap servers are different. The first ldap server has the correct password, but only the second ldap server has the correct role information

I have tried to set this up using a login-config.xml file that has been excerpted below.
If I use only the first login-module, I get authenticated properly, but the application does not get the necessary roles. When I include both login-modules I get what appears to be a password failure no matter which password (ldap1 or ldap2) that I use.

Does anyone know if this is possible and how to do it?

Thanks, Doug

 <application-policy name="AppName">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://ldap1.domain.com:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,cn=users,dc=domain,dc=com</module-option>
 <module-option name="allowEmptyPasswords">false</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.provider.url">ldap://ldap2:389</module-option>
 <module-option name="bindDN">uid=admin,ou=people,dc=domain,dc=com</module-option>
 <module-option name="bindCredential">adminapassword</module-option>
 <module-option name="baseCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
 <module-option name="roleFilter">(uid={0})</module-option>
 <module-option name="roleAttributeID">nsRoleDN</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 </login-module>
 </authentication>
</application-policy>