[jboss-user] [Beginner's Corner] - Integrate JBoss 6 to AD - map groups to roles?

[Stian Lund]

Stian Lund [http://community.jboss.org/people/pathduck] created the discussion

"Integrate JBoss 6 to AD - map groups to roles?"

To view the discussion, visit: http://community.jboss.org/message/602192#602192

--------------------------------------------------------------
Hi, I'm new  :) 

I'm in the process of setting up a Test-env for JBoss where we want to connect to Active Directory for authentication of users to the jmx console and admin console. I've created a policy in login-config.xml:


<application-policy name="ActiveDirectory">
                <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option>
                <module-option name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                <module-option name="bindCredential">xxx</module-option>
                    <module-option name="baseCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
                                <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                                <module-option name="rolesCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
                                <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                                <module-option name="roleAttributeID">memberOf</module-option>
                                <module-option name="roleAttributeIsDN">true</module-option>
                                <module-option name="roleNameAttributeID">cn</module-option>
                                <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                                <module-option name="allowEmptyPasswords">false</module-option>
            </login-module>
        </authentication>
    </application-policy>



I've mapped this policy in jboss-web.xml for the WAR files:
    
<security-domain>java:/jaas/ActiveDirectory</security-domain>

But now I've hit the wall in regards to how I would map the AD group whose members are admins to the correct role, which I guess is "JBossAdmin".
For instance we have a group "ga-JBossAdm" in AD and want these members to have the role. I've tried searching for examples how to do this but come up short. 

I'm coming from a Websphere background where this integration is based on mapping AD groups/users to administrative roles in WAS, so maybe I am going at this the wrong way, but I can't really figure out where to go from here. Is <role-name> supposed to map to the same as the name of the AD group?

Hope some of you JBoss gurus can help me proceed here  :)
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/602192#602192]

Start a new discussion in Beginner's Corner at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110427/69c88b9a/attachment.html