[jboss-user] [Beginner's Corner] - Integrate JBoss 6 to AD - map groups to roles?
Stian Lund
do-not-reply at jboss.com
Wed Apr 27 05:47:57 EDT 2011
Stian Lund [http://community.jboss.org/people/pathduck] created the discussion
"Integrate JBoss 6 to AD - map groups to roles?"
To view the discussion, visit: http://community.jboss.org/message/602192#602192
--------------------------------------------------------------
Hi, I'm new :)
I'm in the process of setting up a Test-env for JBoss where we want to connect to Active Directory for authentication of users to the jmx console and admin console. I've created a policy in login-config.xml:
<application-policy name="ActiveDirectory">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://xxx:389/</module-option>
<module-option name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
<module-option name="bindCredential">xxx</module-option>
<module-option name="baseCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
I've mapped this policy in jboss-web.xml for the WAR files:
<security-domain>java:/jaas/ActiveDirectory</security-domain>
But now I've hit the wall in regards to how I would map the AD group whose members are admins to the correct role, which I guess is "JBossAdmin".
For instance we have a group "ga-JBossAdm" in AD and want these members to have the role. I've tried searching for examples how to do this but come up short.
I'm coming from a Websphere background where this integration is based on mapping AD groups/users to administrative roles in WAS, so maybe I am going at this the wrong way, but I can't really figure out where to go from here. Is <role-name> supposed to map to the same as the name of the AD group?
Hope some of you JBoss gurus can help me proceed here :)
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/602192#602192]
Start a new discussion in Beginner's Corner at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110427/69c88b9a/attachment.html
More information about the jboss-user
mailing list