[jboss-user] [Security & JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I have been on big quest as well to get this working. The documentation leaves a lot to be
desired but here is what I did to get it working.
First a basic LDAP schema
| # Base
| dn: dc=foo,dc=bar
| dc: foo
| objectClass: top
| objectClass: dcObject
| objectClass: organization
| o: Foo Bar
|
| # Ldap admin user
| dn: cn=admin, dc=foo,dc=bar
| userPassword:: secret
| description: LDAP administrator
| objectClass: simpleSecurityObject
| objectClass: organizationalRole
| cn: admin
|
| # People ou where we attach the users
| dn: ou=People, dc=foo,dc=bar
| ou: People
| objectClass: top
| objectClass: organizationalUnit
|
| # A basic inetOrgPerson
| dn: cn=Test User,ou=People, dc=foo,dc=bar
| sn: Test
| userPassword:: secret
| mail: test(a)foo.bar
| displayName: Test User
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| uid: test
| cn: Test User
|
| # The ou where we attach roles/groups
| dn: ou=roles, dc=foo,dc=bar
| ou: roles
| objectClass: top
| objectClass: organizationalUnit
|
| # A test group member of roles ou
| dn: cn=TestGroup,ou=roles, dc=foo,dc=bar
| ou: TestGroup
| objectClass: top
| objectClass: groupOfUniqueNames
| uniqueMember: cn=Test User,ou=People
| cn: TestGroup
|
Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap
schema above this would look like this:
| <?xml version='1.0' encoding='ISO-8859-1'?>
|
| <jboss-sso>
| <identity-management>
| <login>
| <provider id="si:jboss-sso:ldap:login"
class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
| <property name="connectionURL">
jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property>
| <property
name="username">cn=admin,dc=foo,dc=bar</property>
| <property
name="password">secret</property>
| <!-- ou that contains all your inetOrgPersons
-->
| <property
name="identityOu">People</property>
| <!-- ou that contains your groups -->
| <property
name="roleOu">roles</property>
| </provider>
| </login>
| <!--login>
| <provider id="si:jboss-sso:demo:login"
class="org.jboss.security.idm.demo.DemoLoginProvider"/>
| </login-->
| </identity-management>
| <sso-processor>
| <processor
class="org.jboss.security.saml.JBossSingleSignOn">
| <!-- Conf this to your sso jboss server -->
| <property
name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property>
| </processor>
| </sso-processor>
| </jboss-sso>
|
Really importend here is to verify then you have set identityOU and roleOU to the right
values. If there is an error here you will get "No such object" jdbc errors
witch of course is an ldap error telling you it can't find the ou. I use openldap and
set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.
If you tail the ldap log and start the sso service you should see jboss-sso connecting and
scanning in the roles. If so and you can confirm the sso startup in the jboss server.log
you are done.
Hope this helpt
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4037902#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...