[jboss-user] [Beginner's Corner] - Re: Integrate JBoss 6 to AD - map groups to roles?

Jonathan Turner do-not-reply at jboss.com
Tue Feb 28 06:42:59 EST 2012 

Jonathan Turner [https://community.jboss.org/people/earthwormgym] created the discussion

"Re: Integrate JBoss 6 to AD - map groups to roles?"

To view the discussion, visit: https://community.jboss.org/message/720171#720171

--------------------------------------------------------------
Hi,

I've been trying to get LDAP auth against Active Directory working for the admin-console. After reading many posts and trying many different configuration options I'm still not having any luck.

I have tried the following two options as ones I thought made sense in my login-config.xml

Option 1:


  <application-policy name="jmx-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> 
        <module-option name="bindDN">domain\searchuser</module-option>
        <module-option name="bindCredential">search.user.passwd</module-option>
        <module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>
        <module-option name="roleFilter">(sAMAccountName={0})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
      </login-module>
    </authentication>
  </application-policy>



The idea here is that it looks in the login user's entry for the memberOf attributes, which returns the groups and then gets the cn for each of these groups to match against the role I configure in the admin-console's web.xml
I see from a wireshark of the LDAP queries that it bind successfully and the queries ruturn as they should but I still get access denied.

Option 2:


  <application-policy name="jmx-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> 
        <module-option name="bindDN">domain\searchuser</module-option>
        <module-option name="bindCredential">search.user.passwd</module-option>
        <module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleRecursion">5</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
      </login-module>
    </authentication>
  </application-policy>



The idea here is that it queries for all the groups that the login user is a member of and then to the cn of the group for the role to match against that configured in the web.xml.
Again I see the queries via wireshark and they seem to work.


The login user is definitely in the group that I'm using for the role.

Any ideas? My next step is going to be to download the source and remote debug the login module. Is there something obvious I'm getting wrong?

Thanks
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/720171#720171]

Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20120228/c97ccf74/attachment.html

More information about the jboss-user mailing list