-
15. Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter.
Can we just use the same DN that include a lot of other information (other attributes), such as "UserClass", "DeptCode", ....?
How to use these attributes for the role checking? how to set it in ldap auth module? -
16. Re: Tutorial for setup of Authentication in JBoss?
Yes, you can use such a DN. You need to set the role attributes such that the result is, for example, the value for DeptCode.
-
17. Re: Tutorial for setup of Authentication in JBoss?
In my Jun 4, 2009 email, I show the setting that set the role attributes to "userClass" ( same as a kind of attributes of "DeptCode" ).
So, based on my setting, I don't know what's wrong. -
-
19. Re: Tutorial for setup of Authentication in JBoss?
Hi all,
I do not know what is wrong in my setting. I still fail to use LDAP login module. Can anyone help? -
20. Re: Tutorial for setup of Authentication in JBoss?
Here are a few things to try.
1) Set roleAttributeIsDN to false. Looking at the code it appears that if this is false then the role is assumed to be the attribute's value (that is, the value of userClass in your example).
Also, set TRACE logging for the "org.jboss.security.auth.spi" package - once the LDAP login module gathers all of the necessary info to lookup the role it prints the info to the log if TRACE is set. It also prints out information about what it finds.
2) The LdapExtLoginModule has a defaultRole option that might do what you want; it appears to assign a role to all logged in users. You would have to change the config to look something like this:<application-policy name="ldapLogin"> <authentication> <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://ldap.my.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">--account with ldap access--</module-option> <module-option name="bindCredential">--password for that account--</module-option> <module-option name="baseCtxDN">ou=people,o=my.com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="defaultRole">xxx</module-option> </login-module> </authentication> </application-policy>
Unfortunately the LdapExtLoginModule does not provide that much information when logging is set to TRACE. -
21. Re: Tutorial for setup of Authentication in JBoss?
Thanks a lot. Peter.
The "roleAttributeIsDN" is set to false. However, still fail to access the webpage. From the trace log, it shows that the authentication is ok but the authorization is failed. The main problem is caused by role checking. Even thought I set TRACE logging for the "org.jboss.security.auth.spi", no any information and message for authorization in the trace log.
I also set "searchScope" to "ONELEVEL_SCOPE" or SUBTREE_SCOPE. It still fails too.
How can I set logging for authorization? what else we can do?
Thanks for any help. -
22. Re: Tutorial for setup of Authentication in JBoss?
defaultRole doesn't work exactly as I expected - you still need to provide role search info. But here is something that worked for me. I want anyone who logs in to have the "loggedin" role, and I want to use only that role in web.xml (and other locations) to provide access control. I was able to do this with the following ling module (with obfuscated data, this is for Exchange 2003 which doesn't allow anonymous access, hence the bindDN entry):
<application-policy name="peterj"> <authentication> <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">--full DN for my account--</module-option> <module-option name="bindCredential">--my password--</module-option> <module-option name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="defaultRole">loggedin</module-option> <module-option name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> </login-module> </authentication> </application-policy>
In typical Exchange fashion, all users are define in OU=Users, and they belong to security groups defined by OU=Groups. The groups have an attribute named "member" which contains the users in that role.
I will now see if there is any way I can lookup a simple attribute value of the User to set a role, but offhand I don't see anything in LdapExtLoginModule that will let me do this. If that fails, I will try using LdapLoginModule. -
23. Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter.
We may get the wrong direction for LDAP authentication.
First, I think our LDAP server is a flat ldap structure and thus I only use "LdapLoginModule" to test. In your config, you use "LdapExtLoginModule".
I still try to use different parameter for "role checking" config in "LdapLoginModule". Still ok for authentication but fail on authorization.
By the way, Peter, can we write a custom login module? As I search this topic, only find this article "http://www.jboss.org/community/wiki/CreatingACustomLoginModule" but this is not a full custom login module, just extend the existing one. Is any document to teach us to write a login module?
Thanks for any help. -
24. Re: Tutorial for setup of Authentication in JBoss?
Hi all,
Good news! Finally, with trial and error to set different parameter, I can use LdapLoginModule to work fine now.
Now I try to figure out the alternate setting for Ldap login.
share with our ok config:
--------------------------------------------------------------------------------------
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
<module-option name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://ldap.ust.hk/
</module-option>
<module-option name="java.naming.security.authentication">
simple
</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=people,o=my.com</module-option>
<module-option name="rolesCtxDN">ou=people,o=my.com</module-option>
<module-option name="uidAttributeID">uid</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="roleAttributeID">userClass</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="searchTimeLimit">50000</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module> -
25. Re: Tutorial for setup of Authentication in JBoss?
can we write a custom login module?
Yes, you can. You can use any of the existing login modules as a guideline. Most likely you will want to subclass the UsernamePasswordLoginModule class.