[jboss-user] [Security & JAAS/JBoss] - Stacking login modules or writing a custom login module?
zzzz8
do-not-reply at jboss.com
Fri Sep 22 03:28:19 EDT 2006
My company has two LDAP environments in use. One LDAP environment is used to authenticate users. The second LDAP environment is used to retrieve role information. I have already configured my first login module to authenticate a user (I'm using LdapExtLoginModule). However, I'm not sure how to configure the second login module to retrieve role information from the second LDAP environment. I'm using form authentication.
Normally, I believe this would be fairly easy to use. However, the second LDAP environment that I need to access the role information is a bit unusual (at least in my opinion - however, I'm a newbie, so I may be wrong in my assessment). Normally, one would provide the username and then perform a role search based on that username. However, the second LDAP environment actually stores role information based on another attribute - a user ID number. This attribute is stored as an attribute on the first LDAP environment. However, how can one retrieve this user ID number attribute from the first LDAP environment and pass it to the next stacked login module (the second LDAP environment) for use in the search for roles.
To make this a little more concrete, I have an example of what I want to happen:
The user would login with a username and password on a web page. The LdapExtLoginModule would retrieve the username and password information, pass it to my first LDAP environment for binding, checking for the username/password combination. After the user is authenticated (if the username/password combination checks out), I would like to retrieve an attribute (user ID number) for that user. This user ID number would be passed to the second LDAP environment to be used in the search for user roles.
Thus the user ID number is passed to the second LDAP environment and somehow used in a search. The second LDAP environment's schema is similar to the following (here's an example):
cn=role
userIDnum=1234,2345,3456
So in this case, a group "role" has member 1234, 2345, and 3456. Thus, I have three users that have user ID numbers 1234, 2345, and 3456. There could be another role:
cn=role2
userIDNum=1234
In this case, we have another role but only a user with a user ID number of 1234 is a member of this role. Unfortunately, this schema in the second LDAP environment does not use usernames, but user ID numbers instead to identify the members of this role...
With this situation, is it possible to stack the JBoss login modules to authenticate the user and retrieve role information for a user? Or do I have to write a custom login module to accomplish this? If so, how should I write the login module - e.g. extending an existing login module, etc.? I would really appreciate the help. Thanks!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973482#3973482
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3973482
More information about the jboss-user
mailing list