1 Reply Latest reply on Dec 4, 2009 5:17 AM by Johan Janssen

    Problem combining two loginmodules for SSO with Active Direc

    Johan Janssen Newbie

      For SSO in Windows Server 2008 we would like to use Kerberos so the user does not have to type in his/her username/password again for our application. Further we need the users roles/groups from Active Directory to restrict access to our application.

      The solution I tried was to combine Krb5LoginModule with LdapExtLoginModule, but they do not work together in my case. If I use the Krb5LoginModule I can use SSO, if I use the LdapExtLoginModule I can retrieve the roles after entering my username/password again. But combining them for SSO and roles does not work.

      If my research is correct than the problem is that the Krb5LoginModule returns a user of the form "username@domain" while the LdapExtLoginModule expects just "username". But I could not find a solution for that. Is there a solution for this problem, or is there perhaps another LoginModule that could be used?

      The code we are using is the following:

      <application-policy name="kerberos">
       <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" >
       <module-option name="debug">true</module-option>
       <module-option name="storeKey">true</module-option>
       <module-option name="storePass">true</module-option>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name="debug">true</module-option>
       <module-option name="java.naming.provider.url">ldap://$ip$:389</module-option>
       <module-option name="bindDN">cn=$Username$, cn=Users, dc=$domain$, dc=$domainextension$</module-option>
       <module-option name="bindCredential">$password$</module-option>
       <module-option name="baseCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
       <module-option name="baseFilter">(sAMAccountName={0})</module-option>
       <module-option name="rolesCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
       <module-option name="roleFilter">(sAMAccountName={0})</module-option>
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>