0 Replies Latest reply on Oct 21, 2008 3:06 AM by Paolo Filippelli

    LdapExtLoginModule, ActiveDirectory, memberOf chain

    Paolo Filippelli Newbie

      Hello to everybody,

      it's my first post in this forum, hope that you can help me...by the way, guys, you are doing a great work, thank you. :)
      Here's my problem: i'm trying to authenticate against an Active Directory using the LdapExtLoginModule.
      For example suppose that i've the following situation:

      cn=MyUser,cn=Users,dc=MyDomain,dc=it
      memberOf: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
      ...
      CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
      member: cn=MyUser,cn=Users,dc=MyDomain,dc=it
      memberOf: CN=SecondGroup,CN=Users,dc=MyDomain,dc=it
      ...
      CN=SecondGroup,CN=Users,dc=MyDomain,dc=it
      member: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
      


      Here's my jboss login-xml configuration (pasted with the appropriate modifications directly from the web page http://www.jboss.org/community/docs/DOC-11251)...

       <application-policy name="ActiveDirectory">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
       flag="required">
       <module-option name="java.naming.provider.url">
       ldap://MyHost:389/
       </module-option>
       <module-option name="bindDN">cn=AnAuthUser,cn=Users,dc=MyDomain,dc=it</module-option>
       <module-option name="bindCredential">ThePassword</module-option>
       <module-option name="baseCtxDN">
       cn=MyDomain,dc=MyDomain,dc=it
       </module-option>
       <module-option name="baseFilter">(sAMAccountName={0})</module-option>
       <module-option name="rolesCtxDN">
       cn=MyDomain,dc=MyDomain,dc=it
       </module-option>
       <module-option name="roleFilter">(sAMAccountName={0})</module-option>
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="roleRecursion">1</module-option>
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      Here's the question...for example, i configured the jmx console to be accessed only by users belonging to the group "SecondGroup", as seen before.
      The jboss-web.xml file in the jmx-console.war/WEB-INF directory is:

      <jboss-web>
       <!-- Uncomment the security-domain to enable security. You will
       need to edit the htmladaptor login configuration to setup the
       login modules used to authentication users.
       <security-domain>java:/jaas/jmx-console</security-domain>
       -->
      <security-domain>java:/jaas/ActiveDirectory</security-domain>
      </jboss-web>
      


      and here is the web.xml file, in the same directory

      <?xml version="1.0"?>
      <!DOCTYPE web-app PUBLIC
       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
       "http://java.sun.com/dtd/web-app_2_3.dtd">
      
      <web-app>
       ...
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
       role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
      
       <auth-constraint>
       <role-name>SecondGroup</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JBoss JMX Console</realm-name>
       </login-config>
      
       <security-role>
       <role-name>SecondGroup</role-name>
       </security-role>
      </web-app>
      


      The user "MyUser" belongs to the group "FirstGroup", that in its turn belongs to the group "SecondGroup"....so i expected that it was possible to authenticate using that user, following the "memberOf chain":

      MyUser ---(memberOf)---> FirstGroup ---(memberOf)---> SecondGroup

      I was not able, however, to write a configuration that could accomplish this task...my question is if it is possible to do this thing, i'd be very glad if you could help me.

      Best Regards,

      Paolo