[jboss-user] [Beginner's Corner] - Re: Integrate JBoss 6 to AD - map groups to roles?

Stian Lund do-not-reply at jboss.com
Thu Jul 14 05:26:47 EDT 2011 

Stian Lund [http://community.jboss.org/people/pathduck] created the discussion

"Re: Integrate JBoss 6 to AD - map groups to roles?"

To view the discussion, visit: http://community.jboss.org/message/615127#615127

--------------------------------------------------------------

Hello Ashutosh and thanks for the replies.

After a lot of trial and error I have made it work with the following application policy.

<!-- Application policy for ActiveDirectory -->
<application-policy name="ActiveDirectory">
  <authentication>
        <login-module 
code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                <module-option 
name="java.naming.provider.url">ldap://ldaphost:389/</module-option>
                <module-option 
name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                <module-option 
name="bindCredential">xxx</module-option>
                <module-option 
name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                <module-option 
name="baseFilter">(sAMAccountName={0})</module-option>
                <module-option 
name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                <module-option 
name="roleFilter">(member={1})</module-option>
                <module-option 
name="roleAttributeID">CN</module-option>
                <module-option 
name="allowEmptyPasswords">false</module-option>
        </login-module>
        <login-module 
code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required" 
>
                <module-option 
name="password-stacking">useFirstPass</module-option>
                <module-option 
name="rolesProperties">props/roles.properties</module-option>
        </login-module>
   </authentication>
</application-policy>



The file roles.properties contains the mapping of AD groups to roles. This way I can map the application policy to be used in jboss-web.xml for the different apps (and admin/jmx-console) without having to edit the names of the application roles.

I have not however managed to map single users to roles, only groups, so I might look into the other module you posted.
Thanks for your help.

BTW allowEmptyPasswords is NASTY!  :D
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/615127#615127]

Start a new discussion in Beginner's Corner at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110714/5a157626/attachment-0001.html

More information about the jboss-user mailing list