[jboss-user] [Security & JAAS/JBoss] - Re: Active Directory and LdapExtLoginModule?
Neelixx
do-not-reply at jboss.com
Wed Aug 23 11:26:16 EDT 2006
Here are my config files. Keep in mind, that this configuration, uses the user's UPN name (user at company.com), as I had multiple domains to authenticate to.
I do not use EJB Security in this configuration.
Hope this helps! Good Luck!
login-config.xml
-------------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<!--
Due to the limitations of Active Directory's Group membership, the Members attribute from
an LDAP query is not populated with the Primary Group. But, sicompany3 every user is, by default,
a member of the Domain User's group, every user who can authenticate correctly receives a
default role of "AuthUser". This is my way to determine a network user without checking
for the group "Domain User".
http://support.microsoft.com/?kbid=275523
-->
<application-policy name="dci-ad">
<!--
company3 authentication. Login module is set to sufficient, which means this login module
is not required to succeed (sicompany3 the user could be company1 or company2).
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company3.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company3,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company3,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company3,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
<!--
company1 Authentication. Login module set to sufficient, as this is not required
to succeed (sicompany3 the user could be company3 or company2
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company1.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company1,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company1,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company1,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
<!--
company2 authentication. Login module is set to sufficient, which means this login module
is not required to succeed (sicompany3 the user could be company1 or company3).
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company2.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company2,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company2,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company2,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
</application-policy>
web.xml
--------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/bad-login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Main Application</web-resource-name>
accessible by authorized users
<url-pattern>/main/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
These are the roles who have access
<role-name>AuthUser</role-name>
</auth-constraint>
</security-constraint>
<security-role>
Active Directory Authenticated User
<role-name>AuthUser</role-name>
</security-role>
</web-app>
jboss-web.xml
-----------------
<jboss-web>
<security-domain>java:/jaas/dci-ad</security-domain>
</jboss-web>
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967014#3967014
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3967014
More information about the jboss-user
mailing list