1 Reply Latest reply on Mar 5, 2007 5:26 PM by Peter Johnson

    ldap

    Philip Priest Newbie

      I have installed jboss-portal-2.4.1, I have a need to auth against a ldap server. from the wiki i have done this:

      I have updated $JBOSS_HOME\server\default\deploy\jboss-portal.sar\conf\login-config.xml:

      <?xml version='1.0'?>
      <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ~ JBoss, a division of Red Hat ~
      ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~
      ~ contributors as indicated by the @authors tag. See the ~
      ~ copyright.txt in the distribution for a full listing of ~
      ~ individual contributors. ~
      ~ ~
      ~ This is free software; you can redistribute it and/or modify it ~
      ~ under the terms of the GNU Lesser General Public License as ~
      ~ published by the Free Software Foundation; either version 2.1 of ~
      ~ the License, or (at your option) any later version. ~
      ~ ~
      ~ This software is distributed in the hope that it will be useful, ~
      ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~
      ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~
      ~ Lesser General Public License for more details. ~
      ~ ~
      ~ You should have received a copy of the GNU Lesser General Public ~
      ~ License along with this software; if not, write to the Free ~
      ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~
      ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-->

      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <!-- For the JCR CMS -->
      <application-policy name="cms">

      <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/>

      </application-policy>

      <application-policy name="portal">

      <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
      <module-option name="unauthenticatedIdentity">guest</module-option>
      <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
      <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
      <module-option name="additionalRole">Authenticated</module-option>
      <module-option name="password-stacking">useFirstPass</module-option>
      </login-module>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.factory.initial">
      com.sun.jndi.ldap.LdapCtxFactory
      </module-option>
      <module-option name="java.naming.provider.url">
      ldap://localhost:389/
      </module-option>
      <module-option name="java.naming.security.authentication">
      simple
      </module-option>
      <module-option name="baseCtxDN">ou=People,o=ITS</module-option>
      <module-option name="baseFilter">(uid={0})</module-option>
      <module-option name="rolesCtxDN">ou=Groups,o=ITS</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">member</module-option>
      <module-option name="roleRecursion">-1</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="searchTimeLimit">5000</module-option>
      <module-option name="searchScope">SUBTREE_SCOPE</module-option>
      </login-module>

      </application-policy>


      How do i go about testing that i can auth against the ldap server? i can do a
      ldapsearch -x from one of my clients and see the db.

      thanks
      Phil

        • 1. Re: ldap
          Peter Johnson Master

          Here's what I did. I created a simple web app with a few html pages, some within directories, and set up security in the web.xml to restrict access to the directories based on an ldap group.

          When things were not working for me, I added quite a bit of logging code to the ldap login module class. That helped my understand what was going on and why things were not working for me.

          Eventually, I got the ldap queries correct and my simple web app worked correctly.