[jboss-user] [Security] - Problem combining two loginmodules for SSO with Active Direc
Johan2001
do-not-reply at jboss.com
Tue Dec 1 06:49:01 EST 2009
For SSO in Windows Server 2008 we would like to use Kerberos so the user does not have to type in his/her username/password again for our application. Further we need the users roles/groups from Active Directory to restrict access to our application.
The solution I tried was to combine Krb5LoginModule with LdapExtLoginModule, but they do not work together in my case. If I use the Krb5LoginModule I can use SSO, if I use the LdapExtLoginModule I can retrieve the roles after entering my username/password again. But combining them for SSO and roles does not work.
If my research is correct than the problem is that the Krb5LoginModule returns a user of the form "username at domain" while the LdapExtLoginModule expects just "username". But I could not find a solution for that. Is there a solution for this problem, or is there perhaps another LoginModule that could be used?
The code we are using is the following:
| <application-policy name="kerberos">
| <authentication>
|
| <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" >
| <module-option name="debug">true</module-option>
| <module-option name="storeKey">true</module-option>
| <module-option name="storePass">true</module-option>
| </login-module>
|
|
| <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
| <module-option name="debug">true</module-option>
| <module-option name="java.naming.provider.url">ldap://$ip$:389</module-option>
| <module-option name="bindDN">cn=$Username$, cn=Users, dc=$domain$, dc=$domainextension$</module-option>
| <module-option name="bindCredential">$password$</module-option>
| <module-option name="baseCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
| <module-option name="baseFilter">(sAMAccountName={0})</module-option>
| <module-option name="rolesCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option>
| <module-option name="roleFilter">(sAMAccountName={0})</module-option>
| <module-option name="roleAttributeID">memberOf</module-option>
| <module-option name="roleAttributeIsDN">true</module-option>
| <module-option name="roleNameAttributeID">cn</module-option>
| <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
| <module-option name="allowEmptyPasswords">false</module-option>
| </login-module>
|
| </authentication>
| </application-policy>
|
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268266#4268266
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4268266
More information about the jboss-user
mailing list