I'm not a JBoss programmer, but I do need help trying to configure JBoss for a JBoss
application that authenticates to our Novell eDirectory LDAP tree. What I can't figure
out is how to authenticate a user quickly if they reside in one of many OUs. For example,
a user's DN might be cn=jdoe,ou=Staff,ou=CO,O=NISD. A user at another campus might be
cn=jsmith,ou=Staff,ou=NHS,O=NISD. We have figured out how to stack multiple login modules
using the "optional" flag so that it tries to authenticate the user against each
possible OU. Also, the useFirstPass option means that once the user authenticates in one
module, the rest of the optional modules are skipped. An example:
<login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag =
"optional">
| <module-option
name="password-stacking">useFirstPass</module-option>
| <module-option
name="java.naming.provider.url">ldap://[server]:389</module-option>
| <module-option
name="java.naming.security.authentication">simple</module-option>
| <module-option name="principalDNPrefix">cn=</module-option>
| <module-option
name="principalDNSuffix">,ou=staff,ou=CO,O=NISD</module-option>
| <module-option
name="allowEmptyPasswords">false</module-option>
| </login-module>
|
| <login-module code = "org.jboss.security.auth.spi.LdapLoginModule"
flag = "optional">
| <module-option
name="password-stacking">useFirstPass</module-option>
| <module-option
name="java.naming.provider.url">ldap://[server]:389</module-option>
| <module-option
name="java.naming.security.authentication">simple</module-option>
| <module-option name="principalDNPrefix">cn=</module-option>
| <module-option
name="principalDNSuffix">,ou=staff,ou=NHS,O=NISD</module-option>
| <module-option
name="allowEmptyPasswords">false</module-option>
| </login-module>
|
|
The tricky part is that we have users in 19 different OUs, and each authentication attempt
takes 3 seconds. So anyone in an OU at the bottom of the stacked list takes 57 seconds (19
* 3) to authenticate. Also, anyone entering a bad password has to wait 57 seconds to find
out, since the stacked list has to go to the bottom to make sure none of the modules
succeeded.
Is there a way to do this with one module that does a subtree search instead of one module
for each OU? The documented subtree options only seem to apply to role queries, not user
authentication. In this case, our role query is done against a database, and we only need
to check the user's name and password. I know LDAP URLs have syntax for subtree
searches, but trying to embed the syntax in the provider, principalDNPrefix, or
principalDNSuffix options hasn't worked.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4205753#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...