1 Reply Latest reply on Sep 28, 2007 2:16 AM by Gerry Matte

    JBoss 4.0.5.GA LdapLoginModule - terminology confusion

    Gerry Matte Newbie

      I have read section 8.5.3.5 LdapLoginModule in the Admin Guide at least twenty times. I have managed to configure this module so that a userid is correctly recognised when attempting to access a protected we page.

      I seem to be totally unable to correctly specify how a users role should be looked up by the login module. I considered myself reasonably knowlegeable in LDAP concepts (up until now).

      Using OpenLDAP as my ldap server, my LDAP server root is dc=saanich,dc=ca
      my users are stored within ou=People
      and my roles are stored within ou=Groups,ou=Webapp-Roles.
      The objects in this context are objectClass=groupOfNames with cn=[role name] and users specified as a set of member=[userDN] attributes.

      Because users are being authenticated accurately but access is being denied when it should be granted, I believe that I must be misinterpreting one of the role related configuration options below.

      I suspect that someone will be able to point out a silly conceptual error somewhere below. Is so, I will be humbly grateful. Thanks in advance.

      =======================
      The login-config.xml is:
      <application-policy name="SaanichIntranet">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://IT-Manager:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=People,dc=saanich,dc=ca</module-option>
      <module-option name="uidAttributeID">cn</module-option>
      <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">member</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      </login-module>

      </application-policy>

      =======================

        • 1. Re: JBoss 4.0.5.GA LdapLoginModule - terminology confusion
          Gerry Matte Newbie

          It's unfortunate no one was able to suggest using an undocumented version of LdapLoginModule - I found the LdapExtLoginModule by searching the jboss source code. Once I found that, a search of the wikis led me to the excellent posting http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule and the problem was resolved within hours.

          For the benefit of others trying to use Ldap, don't waste time with the LdapLoginModule described in the Application Server Guide. Go directly to the LdapExtLoginModule for terminology and searching that more closely aligns with LDAP terminology and concepts.

          Below is the login-config.xml that works with my OpenLDAP:

          <!-- GM: Sept 27 2007 - A configuration for webapps using an OpenLDAP running on this server. -->
          <application-policy name="localhostLDAP">

          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
          <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
          <module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          <module-option name="bindDN">cn=administrator,dc=saanich,dc=ca</module-option>
          <module-option name="bindCredential">admin1</module-option>
          <module-option name="baseCtxDN">ou=People,dc=saanich,dc=ca</module-option>
          <module-option name="baseFilter">(cn={0})</module-option>
          <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option>
          <module-option name="roleFilter">(member={1})</module-option>
          <module-option name="uidAttributeID">member</module-option>
          <module-option name="roleAttributeID">cn</module-option>
          <module-option name="roleNameAttributeID">cn</module-option>
          <module-option name="roleAttributeIsDN">true</module-option>
          </login-module>

          </application-policy>