LdapLoginModule - almost working
a4rahman Oct 1, 2010 11:14 AMHello,
Sorry if this is in the wrong place - I'm new to the forum so please direct me to the right space if you think this thread shouldn't be here.
I have been playing around with the LdapLoginModule and trying to secure my web app by authenticating users against LDAP. I was able to do it against a local LDAP server that I had set up, with the following configurations in my login-config.xml file within my JBOSS server:
<application-policy name="XXX"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://LetsSayMyLocalMachineName:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> </login-module> </authentication> </application-policy>
However, the problem arises when I try to configure this against an external ldap server with a slightly different directory structure. Here are my configurations for that:
<application-policy name="XXX"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://LetsSayTheRemoteServerName:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">sAMAccountName=</module-option> <module-option name="principalDNSuffix">,ou=Admin Users,ou=HQ,ou=Administration,dc=XXX,dc=XXX</module-option> <module-option name="rolesCtxDN">dc=XXX,dc=XXX</module-option> <module-option name="uidAttributeID">sAMAccountName</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> </login-module> </authentication> </application-policy>
There is no uid attribute for users in this server and I need to authenticate by sAMAccountName. I'm thinking I'm misreading the LdapLoginModule specs on the JBOSS community and am very close to making this work - just not sure exactly where my mistake is, probably because I've been looking at this for too long and need a second pair of eyes.
Here's what the user I'm trying to test with looks like in my LDAP directory:
distinguishedName: CN=Fname Sname,OU=Admin Users,OU=HQ,OU=Administration,DC=XXX,DC=XXX
sAMAccountName: the_user_id_i_need_to_authenticate_against
memberOf: CN=SomeName,OU=Groups,DC=XXX,DC=XXX
Please let me know if you need any more information. Any help would be greatly appreciated. Thanks!