[jboss-user] [Security & JAAS/JBoss] - Authentication against Active Directory using LdapExtLoginMo

paoloyx do-not-reply at jboss.com
Mon Oct 20 06:02:45 EDT 2008


Hello to everybody,

it's my first post in this forum, hope that you can help me...by the way, guys, you are doing a great work, thank you. :)
Here's my problem: i'm trying to authenticate against an Active Directory using the LdapExtLoginModule.
For example suppose that i've the following situation:


  | cn=MyUser,cn=Users,dc=MyDomain,dc=it
  | memberOf: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
  | ...
  | CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
  | member: cn=MyUser,cn=Users,dc=MyDomain,dc=it
  | memberOf: CN=SecondGroup,CN=Users,dc=MyDomain,dc=it
  | ...
  | CN=SecondGroup,CN=Users,dc=MyDomain,dc=it
  | member: CN=FirstGroup,CN=Users,dc=MyDomain,dc=it
  | 

Here's my jboss login-xml configuration (pasted with the appropriate modifications directly from the web page http://www.jboss.org/community/docs/DOC-11251)...


  |  <application-policy name="ActiveDirectory">
  |       <authentication>
  | 	<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
  |                       flag="required">
  |           <module-option name="java.naming.provider.url">
  |             ldap://MyHost:389/
  |           </module-option>
  | 	  <module-option name="bindDN">cn=AnAuthUser,cn=Users,dc=MyDomain,dc=it</module-option>
  | 	  <module-option name="bindCredential">ThePassword</module-option>
  | 	  <module-option name="baseCtxDN">
  |             cn=MyDomain,dc=MyDomain,dc=it
  |           </module-option>
  | 	  <module-option name="baseFilter">(sAMAccountName={0})</module-option>
  |           <module-option name="rolesCtxDN">
  |             cn=MyDomain,dc=MyDomain,dc=it
  |           </module-option>
  | 	  <module-option name="roleFilter">(sAMAccountName={0})</module-option>
  | 	  <module-option name="roleAttributeID">memberOf</module-option>
  |             <module-option name="roleAttributeIsDN">true</module-option>
  |             <module-option name="roleNameAttributeID">cn</module-option>
  | 	    <module-option name="roleRecursion">1</module-option>
  |             <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
  | 	</login-module>
  |       </authentication>
  |     </application-policy>
  | 

Here's the question...for example, i configured the jmx console to be accessed only by users belonging to the group "SecondGroup", as seen before.
The jboss-web.xml file in the jmx-console.war/WEB-INF directory is:

  | <jboss-web>
  |    <!-- Uncomment the security-domain to enable security. You will
  |       need to edit the htmladaptor login configuration to setup the
  |       login modules used to authentication users.
  |       <security-domain>java:/jaas/jmx-console</security-domain>
  |    -->
  | <security-domain>java:/jaas/ActiveDirectory</security-domain>
  | </jboss-web>
  | 
and here is the web.xml file, in the same directory

  | <?xml version="1.0"?>
  | <!DOCTYPE web-app PUBLIC
  |    "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  |    "http://java.sun.com/dtd/web-app_2_3.dtd">
  | 
  | <web-app>
  |    ...
  |    <security-constraint>
  |      <web-resource-collection>
  |        <web-resource-name>HtmlAdaptor</web-resource-name>
  |      <description>An example security config that only allows users with the
  |        role JBossAdmin to access the HTML JMX console web application
  |      </description>
  |      <url-pattern>/*</url-pattern>
  |      <http-method>GET</http-method>
  |      <http-method>POST</http-method>
  |      </web-resource-collection>
  |      
  |    <auth-constraint>
  |      <role-name>SecondGroup</role-name>
  |    </auth-constraint>
  |    </security-constraint>
  | 
  |    <login-config>
  |      <auth-method>BASIC</auth-method>
  |      <realm-name>JBoss JMX Console</realm-name>
  |  </login-config>
  |    
  |    <security-role>
  |      <role-name>SecondGroup</role-name>
  |  </security-role>
  | </web-app>
  | 
  | 

The user "MyUser" belongs to the group "FirstGroup", that in its turn belongs to the group "SecondGroup"....so i expected that it was possible to authenticate using that user, following the "memberOf chain":

MyUser ---(memberOf)---> FirstGroup ---(memberOf)---> SecondGroup

I was not able, however, to write a configuration that could accomplish this task...my question is if it is possible to do this thing, i'd be very glad if you could help me.

Best Regards,

Paolo

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4183174#4183174

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4183174



More information about the jboss-user mailing list