3 Replies Latest reply on Jan 30, 2009 12:44 PM by Peter Johnson

    ldapLoginModule Config for Multiple OU tree structure

    Scott Van Hoeven Newbie

      I'm not a JBoss programmer, but I do need help trying to configure JBoss for a JBoss application that authenticates to our Novell eDirectory LDAP tree. What I can't figure out is how to authenticate a user quickly if they reside in one of many OUs. For example, a user's DN might be cn=jdoe,ou=Staff,ou=CO,O=NISD. A user at another campus might be cn=jsmith,ou=Staff,ou=NHS,O=NISD. We have figured out how to stack multiple login modules using the "optional" flag so that it tries to authenticate the user against each possible OU. Also, the useFirstPass option means that once the user authenticates in one module, the rest of the optional modules are skipped. An example:

      <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "optional">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="java.naming.provider.url">ldap://[server]:389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">cn=</module-option>
       <module-option name="principalDNSuffix">,ou=staff,ou=CO,O=NISD</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
       </login-module>
      
       <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "optional">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="java.naming.provider.url">ldap://[server]:389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">cn=</module-option>
       <module-option name="principalDNSuffix">,ou=staff,ou=NHS,O=NISD</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
       </login-module>
      
      


      The tricky part is that we have users in 19 different OUs, and each authentication attempt takes 3 seconds. So anyone in an OU at the bottom of the stacked list takes 57 seconds (19 * 3) to authenticate. Also, anyone entering a bad password has to wait 57 seconds to find out, since the stacked list has to go to the bottom to make sure none of the modules succeeded.

      Is there a way to do this with one module that does a subtree search instead of one module for each OU? The documented subtree options only seem to apply to role queries, not user authentication. In this case, our role query is done against a database, and we only need to check the user's name and password. I know LDAP URLs have syntax for subtree searches, but trying to embed the syntax in the provider, principalDNPrefix, or principalDNSuffix options hasn't worked.

        • 1. Re: ldapLoginModule Config for Multiple OU tree structure
          Peter Johnson Master

          You could try using org.jboss.security.auth.spi.LdapExtLoginModule, and setting baseCtxDN abd baseFilter, like this:

          <application-policy name="ldapLogin">
           <authentication>
           <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
           ...
           <module-option name="baseCtxDN">dc=org</module-option>
           <module-option name="baseFilter">(cn={0})</module-option>
           ...
           </login-module>
           </authentication>
          </application-policy>


          • 2. Re: ldapLoginModule Config for Multiple OU tree structure
            Scott Van Hoeven Newbie

            So for example:

            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://[server]:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=[searchuser],O=NISD</module-option>
             <module-option name="bindCredential">[password]</module-option>
             <module-option name="baseCtxDN">O=NISD</module-option>
             <module-option name="baseFilter">(cn={0})</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
            </login-module>


            Where [searchuser] is a user that can search the tree, and [password] is the password for that user. Do I have to specify something extra to make it do a subtree search or does it automatically do that?

            • 3. Re: ldapLoginModule Config for Multiple OU tree structure
              Peter Johnson Master

              The LdapExtLoginModule should automatically do a subtree search.