I'm wondering if it is possible to authenticate users against one ldap server, but
then obtain roles for the same user from a different ldap server. The passwords in these
two ldap servers are different. The first ldap server has the correct password, but only
the second ldap server has the correct role information
I have tried to set this up using a login-config.xml file that has been excerpted below.
If I use only the first login-module, I get authenticated properly, but the application
does not get the necessary roles. When I include both login-modules I get what appears to
be a password failure no matter which password (ldap1 or ldap2) that I use.
Does anyone know if this is possible and how to do it?
Thanks, Doug
| <application-policy name="AppName">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
| <module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
| <module-option
name="java.naming.provider.url">ldap://ldap1.domain.com:389/</module-option>
| <module-option
name="java.naming.security.authentication">simple</module-option>
| <module-option
name="principalDNPrefix">uid=</module-option>
| <module-option
name="principalDNSuffix">,cn=users,dc=domain,dc=com</module-option>
| <module-option
name="allowEmptyPasswords">false</module-option>
| </login-module>
| <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="required" >
| <module-option
name="java.naming.provider.url">ldap://ldap2:389</module-option>
| <module-option
name="bindDN">uid=admin,ou=people,dc=domain,dc=com</module-option>
| <module-option
name="bindCredential">adminapassword</module-option>
| <module-option
name="baseCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
| <module-option
name="baseFilter">(uid={0})</module-option>
| <module-option
name="rolesCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
| <module-option
name="roleFilter">(uid={0})</module-option>
| <module-option
name="roleAttributeID">nsRoleDN</module-option>
| <module-option
name="roleAttributeIsDN">true</module-option>
| <module-option
name="roleNameAttributeID">cn</module-option>
| <module-option name="roleRecursion">-1</module-option>
| <module-option
name="searchScope">ONELEVEL_SCOPE</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4036138#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...