<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Re: Integrate JBoss 6 to AD - map groups to roles?
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/earthwormgym">Jonathan Turner</a> in <i>Beginner's Corner</i> - <a href="https://community.jboss.org/message/720171#720171">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Hi,</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I've been trying to get LDAP auth against Active Directory working for the admin-console. After reading many posts and trying many different configuration options I'm still not having any luck.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I have tried the following two options as ones I thought made sense in my login-config.xml</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Option 1:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">
  <span class="jive-xml-tag"><application-policy name="jmx-console"></span>
    <span class="jive-xml-tag"><authentication></span>
      <span class="jive-xml-tag"><login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"></span>
        <span class="jive-xml-tag"><module-option name="java.naming.provider.url"></span>ldap://adserver.domain.com:389/<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="java.naming.security.authentication"></span>simple<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="java.naming.factory.initial"></span>com.sun.jndi.ldap.LdapCtxFactory<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="bindDN"></span>domain\searchuser<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="bindCredential"></span>search.user.passwd<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="baseCtxDN"></span>DC=DOMAIN,DC=com<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="baseFilter"></span>(sAMAccountName={0})<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="rolesCtxDN"></span>DC=DOMAIN,DC=com<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleFilter"></span>(sAMAccountName={0})<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleAttributeID"></span>memberOf<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleAttributeIsDN"></span>true<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleNameAttributeID"></span>cn<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="allowEmptyPasswords"></span>false<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="searchScope"></span>SUBTREE_SCOPE<span class="jive-xml-tag"></module-option></span>
      <span class="jive-xml-tag"></login-module></span>
    <span class="jive-xml-tag"></authentication></span>
  <span class="jive-xml-tag"></application-policy></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The idea here is that it looks in the login user's entry for the memberOf attributes, which returns the groups and then gets the cn for each of these groups to match against the role I configure in the admin-console's web.xml</p><p>I see from a wireshark of the LDAP queries that it bind successfully and the queries ruturn as they should but I still get access denied.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Option 2:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">
  <span class="jive-xml-tag"><application-policy name="jmx-console"></span>
    <span class="jive-xml-tag"><authentication></span>
      <span class="jive-xml-tag"><login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"></span>
        <span class="jive-xml-tag"><module-option name="java.naming.provider.url"></span>ldap://adserver.domain.com:389/<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="java.naming.security.authentication"></span>simple<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="java.naming.factory.initial"></span>com.sun.jndi.ldap.LdapCtxFactory<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="bindDN"></span>domain\searchuser<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="bindCredential"></span>search.user.passwd<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="baseCtxDN"></span>DC=DOMAIN,DC=com<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="baseFilter"></span>(sAMAccountName={0})<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="rolesCtxDN"></span>DC=DOMAIN,DC=com<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleFilter"></span>(member={1})<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleRecursion"></span>5<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="roleAttributeID"></span>cn<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="allowEmptyPasswords"></span>false<span class="jive-xml-tag"></module-option></span>
        <span class="jive-xml-tag"><module-option name="searchScope"></span>SUBTREE_SCOPE<span class="jive-xml-tag"></module-option></span>
      <span class="jive-xml-tag"></login-module></span>
    <span class="jive-xml-tag"></authentication></span>
  <span class="jive-xml-tag"></application-policy></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The idea here is that it queries for all the groups that the login user is a member of and then to the cn of the group for the role to match against that configured in the web.xml.</p><p>Again I see the queries via wireshark and they seem to work.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The login user is definitely in the group that I'm using for the role.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Any ideas? My next step is going to be to download the source and remote debug the login module. Is there something obvious I'm getting wrong?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Thanks</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/720171#720171">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in Beginner's Corner at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>