Integrate JBoss 6 to AD - map groups to roles?
pathduck Apr 27, 2011 5:47 AMHi, I'm new
I'm in the process of setting up a Test-env for JBoss where we want to connect to Active Directory for authentication of users to the jmx console and admin console. I've created a policy in login-config.xml:
<application-policy name="ActiveDirectory"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option> <module-option name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option> <module-option name="bindCredential">xxx</module-option> <module-option name="baseCtxDN">cn=Users,dc=xxx,dc=xxx</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN">cn=Users,dc=xxx,dc=xxx</module-option> <module-option name="roleFilter">(sAMAccountName={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>
I've mapped this policy in jboss-web.xml for the WAR files:
<security-domain>java:/jaas/ActiveDirectory</security-domain>
But now I've hit the wall in regards to how I would map the AD group whose members are admins to the correct role, which I guess is "JBossAdmin".
For instance we have a group "ga-JBossAdm" in AD and want these members to have the role. I've tried searching for examples how to do this but come up short.
I'm coming from a Websphere background where this integration is based on mapping AD groups/users to administrative roles in WAS, so maybe I am going at this the wrong way, but I can't really figure out where to go from here. Is <role-name> supposed to map to the same as the name of the AD group?
Hope some of you JBoss gurus can help me proceed here