[jboss-user] [Security & JAAS/JBoss] - Re: Single Sign On with LDAP Examples
thomascremers
do-not-reply at jboss.com
Tue Apr 17 05:32:56 EDT 2007
I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working.
First a basic LDAP schema
| # Base
| dn: dc=foo,dc=bar
| dc: foo
| objectClass: top
| objectClass: dcObject
| objectClass: organization
| o: Foo Bar
|
| # Ldap admin user
| dn: cn=admin, dc=foo,dc=bar
| userPassword:: secret
| description: LDAP administrator
| objectClass: simpleSecurityObject
| objectClass: organizationalRole
| cn: admin
|
| # People ou where we attach the users
| dn: ou=People, dc=foo,dc=bar
| ou: People
| objectClass: top
| objectClass: organizationalUnit
|
| # A basic inetOrgPerson
| dn: cn=Test User,ou=People, dc=foo,dc=bar
| sn: Test
| userPassword:: secret
| mail: test at foo.bar
| displayName: Test User
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| uid: test
| cn: Test User
|
| # The ou where we attach roles/groups
| dn: ou=roles, dc=foo,dc=bar
| ou: roles
| objectClass: top
| objectClass: organizationalUnit
|
| # A test group member of roles ou
| dn: cn=TestGroup,ou=roles, dc=foo,dc=bar
| ou: TestGroup
| objectClass: top
| objectClass: groupOfUniqueNames
| uniqueMember: cn=Test User,ou=People
| cn: TestGroup
|
Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this:
| <?xml version='1.0' encoding='ISO-8859-1'?>
|
| <jboss-sso>
| <identity-management>
| <login>
| <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
| <property name="connectionURL"> jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property>
| <property name="username">cn=admin,dc=foo,dc=bar</property>
| <property name="password">secret</property>
| <!-- ou that contains all your inetOrgPersons -->
| <property name="identityOu">People</property>
| <!-- ou that contains your groups -->
| <property name="roleOu">roles</property>
| </provider>
| </login>
| <!--login>
| <provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
| </login-->
| </identity-management>
| <sso-processor>
| <processor class="org.jboss.security.saml.JBossSingleSignOn">
| <!-- Conf this to your sso jboss server -->
| <property name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property>
| </processor>
| </sso-processor>
| </jboss-sso>
|
Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get "No such object" jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.
If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done.
Hope this helpt
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4037902#4037902
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4037902
More information about the jboss-user
mailing list