[jboss-user] [Security & JAAS/JBoss] - authentication and roles from 2 different ldap servers?

dbarker do-not-reply at jboss.com
Tue Apr 10 17:10:04 EDT 2007 

I'm wondering if it is possible to authenticate users against one ldap server, but then obtain roles for the same user from a different ldap server.  The passwords in these two ldap servers are different.  The first ldap server has the correct password, but only  the second ldap server has the correct role information

I have tried to set this up using a login-config.xml file that has been excerpted below.
If I use only the first login-module, I get authenticated properly, but the application does not get the necessary roles.  When I include both login-modules I get what appears to be a password failure no matter which password (ldap1 or ldap2) that I use.

Does anyone know if this is possible and how to do it?

Thanks, Doug


  |   <application-policy name="AppName">
  |   <authentication>
  |     <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
  |       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
  |       <module-option name="java.naming.provider.url">ldap://ldap1.domain.com:389/</module-option>
  |       <module-option name="java.naming.security.authentication">simple</module-option>
  |       <module-option name="principalDNPrefix">uid=</module-option>
  |       <module-option name="principalDNSuffix">,cn=users,dc=domain,dc=com</module-option>
  |       <module-option name="allowEmptyPasswords">false</module-option>
  |     </login-module>
  |     <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
  |       <module-option name="java.naming.provider.url">ldap://ldap2:389</module-option>
  |       <module-option name="bindDN">uid=admin,ou=people,dc=domain,dc=com</module-option>
  |       <module-option name="bindCredential">adminapassword</module-option>
  |       <module-option name="baseCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
  |       <module-option name="baseFilter">(uid={0})</module-option>
  |       <module-option name="rolesCtxDN">ou=people,o=Organization,dc=domain,dc=com</module-option>
  |       <module-option name="roleFilter">(uid={0})</module-option>
  |       <module-option name="roleAttributeID">nsRoleDN</module-option>
  |       <module-option name="roleAttributeIsDN">true</module-option>
  |       <module-option name="roleNameAttributeID">cn</module-option>
  |       <module-option name="roleRecursion">-1</module-option>
  |       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
  |     </login-module>
  |   </authentication>
  | </application-policy>
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4036138#4036138

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4036138

More information about the jboss-user mailing list