LDAP/AD authentication "follow the memberOf chain" -------------------------------------------------- Key: JBAS-3301 URL: http://jira.jboss.com/jira/browse/JBAS-3301 Project: JBoss Application Server Issue Type: Patch Security Level: Public(Everyone can see) Components: Security Affects Versions: JBossAS-4.0.4.GA Reporter: Rafael Van Durm Assigned To: Scott M Stark Attachments: ADLoginModule.java For LDAP authentication, there are 2 possibilities for now: - org.jboss.security.auth.spi.LdapLoginModule - org.jboss.security.auth.spi.LdapExtLoginModule Both do not support (as far as I understand) the "follow the memberOf chain" style of finding role definitions ... For example: authentication and authorisation for raf CN=raf,OU=People,DC=uz,DC=kuleuven,DC=ac,DC=be memberOf: CN=inf_iedereen,OU=Informatiesystemen,OU=Groups,DC=uz,DC=kuleuven,DC=ac,DC=be ... CN=inf_iedereen,OU=Informatiesystemen,OU=Groups,DC=uz,DC=kuleuven,DC=ac,DC=be member: CN=raf,OU=People,DC=uz,DC=kuleuven,DC=ac,DC=be memberOf: CN=web-gevonden,OU=WebRollen,OU=Groups,DC=uz,DC=kuleuven,DC=ac,DC=be ... CN=web-gevonden,OU=WebRollen,OU=Groups,DC=uz,DC=kuleuven,DC=ac,DC=be member: CN=inf_iedereen,OU=Informatiesystemen,OU=Groups,DC=uz,DC=kuleuven,DC=ac,DC=be would result in group membership (=roles) inf_iedereen web-gevonden I implemented this authorisation scheme quickly and attached the code over here ... Maybe also interesting for other people?