6 Replies Latest reply on Feb 28, 2012 6:42 AM by earthwormgym

    Integrate JBoss 6 to AD - map groups to roles?

    pathduck

      Hi, I'm new

       

      I'm in the process of setting up a Test-env for JBoss where we want to connect to Active Directory for authentication of users to the jmx console and admin console. I've created a policy in login-config.xml:

       

       

      <application-policy name="ActiveDirectory">
                      <authentication>
                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                      <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option>
                      <module-option name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                      <module-option name="bindCredential">xxx</module-option>
                          <module-option name="baseCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
                                      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                                      <module-option name="rolesCtxDN">cn=Users,dc=xxx,dc=xxx</module-option>
                                      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                                      <module-option name="roleAttributeID">memberOf</module-option>
                                      <module-option name="roleAttributeIsDN">true</module-option>
                                      <module-option name="roleNameAttributeID">cn</module-option>
                                      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                                      <module-option name="allowEmptyPasswords">false</module-option>
                  </login-module>
              </authentication>
          </application-policy>
      
      

       

      I've mapped this policy in jboss-web.xml for the WAR files:

         

      <security-domain>java:/jaas/ActiveDirectory</security-domain>
      

       

      But now I've hit the wall in regards to how I would map the AD group whose members are admins to the correct role, which I guess is "JBossAdmin".

      For instance we have a group "ga-JBossAdm" in AD and want these members to have the role. I've tried searching for examples how to do this but come up short.

       

      I'm coming from a Websphere background where this integration is based on mapping AD groups/users to administrative roles in WAS, so maybe I am going at this the wrong way, but I can't really figure out where to go from here. Is <role-name> supposed to map to the same as the name of the AD group?

       

      Hope some of you JBoss gurus can help me proceed here

        • 1. Re: Integrate JBoss 6 to AD - map groups to roles?
          peterj

          Try going into the config files and change the existing JBossAdmin role to be ga-JBossAdm. For example, in the jmx console web.xml:

           

             <security-constraint>
               <web-resource-collection>
                 <web-resource-name>HtmlAdaptor</web-resource-name>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
               </web-resource-collection>
               <auth-constraint>
                 <role-name>ga-JBossAdm</role-name>
               </auth-constraint>
             </security-constraint>
             <security-role>
                <role-name>ga-JBossAdm</role-name>
             </security-role>
          

           

          This should work as long as the code itself doesn't look for the role name.

          1 of 1 people found this helpful
          • 2. Re: Integrate JBoss 6 to AD - map groups to roles?
            pathduck

            Thanks for the reply Peter unfortunately it does not seem to work. Edit: It seems to actually contact AD since I get a 403 access denied when typing my user+password. If I type wrong password I get a 401. So authentication works, but not authorization, it seems?

             

            I got a tip to use DEBUG on org.jboss.security but I can't find any errors in the server.log either.

             

            Also, from what I understand, the "Roles" concept in the spec is meant as an abstraction, and the mapping of Roles to Users/Groups is up to the container, so that the Role is independent from whatever authentication method is used. So I need to a way to say that the Role "JBossAdmin" maps to a set of users/groups in the ldap?

             

            I also tried setting my security domain in jboss-web.xml for the admin-console, but it does not seem to affect anything, I can still login with admin/admin? But I am trying to focus on jmx-console since at least there admin/admin does not work now, so at least something's changed

             

            Stian

            • 3. Integrate JBoss 6 to AD - map groups to roles?
              a.newdelhi

              Hi Stain,

               

              I'm also working on migration,  weblogic to JBoss 5 and struggling with the same issue on how to migrate my user/group map to security role, which happens to be WEB-SECURITY-ROLE.

               

              I'm eagr to know if you have found a way.

               

              In weblogic internally it use ldap to map user/groups to Security Role.

               

              Looking forward for your response\.

               

              Ashutosh

              • 4. Re: Integrate JBoss 6 to AD - map groups to roles?
                a.newdelhi
                1 of 1 people found this helpful
                • 5. Re: Integrate JBoss 6 to AD - map groups to roles?
                  pathduck

                  Hello Ashutosh and thanks for the replies.

                   

                  After a lot of trial and error I have made it work with the following application policy.

                   

                  <!-- Application policy for ActiveDirectory -->
                  <application-policy name="ActiveDirectory">
                    <authentication>
                          <login-module 
                  code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                                  <module-option 
                  name="java.naming.provider.url">ldap://ldaphost:389/</module-option>
                                  <module-option 
                  name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                                  <module-option 
                  name="bindCredential">xxx</module-option>
                                  <module-option 
                  name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                                  <module-option 
                  name="baseFilter">(sAMAccountName={0})</module-option>
                                  <module-option 
                  name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
                                  <module-option 
                  name="roleFilter">(member={1})</module-option>
                                  <module-option 
                  name="roleAttributeID">CN</module-option>
                                  <module-option 
                  name="allowEmptyPasswords">false</module-option>
                          </login-module>
                          <login-module 
                  code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required" 
                  >
                                  <module-option 
                  name="password-stacking">useFirstPass</module-option>
                                  <module-option 
                  name="rolesProperties">props/roles.properties</module-option>
                          </login-module>
                     </authentication>
                  </application-policy>
                  
                  

                   

                  The file roles.properties contains the mapping of AD groups to roles. This way I can map the application policy to be used in jboss-web.xml for the different apps (and admin/jmx-console) without having to edit the names of the application roles.

                   

                  I have not however managed to map single AD users to roles, only AD groups, so any help in this would be much appreciated. I really need to map single users too as for instance I need to use a "service"-user for JMX access, and I don't want to use 'admin'.

                   

                  Thanks for your help.

                  BTW allowEmptyPasswords is NASTY!

                  • 6. Re: Integrate JBoss 6 to AD - map groups to roles?
                    earthwormgym

                    Hi,

                     

                    I've been trying to get LDAP auth against Active Directory working for the admin-console. After reading many posts and trying many different configuration options I'm still not having any luck.

                     

                    I have tried the following two options as ones I thought made sense in my login-config.xml

                     

                    Option 1:

                     

                    {code:xml}

                      <application-policy name="jmx-console">

                        <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                            <module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>

                            <module-option name="java.naming.security.authentication">simple</module-option>

                            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                            <module-option name="bindDN">domain\searchuser</module-option>

                            <module-option name="bindCredential">search.user.passwd</module-option>

                            <module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>

                            <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                            <module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>

                            <module-option name="roleFilter">(sAMAccountName={0})</module-option>

                            <module-option name="roleAttributeID">memberOf</module-option>

                            <module-option name="roleAttributeIsDN">true</module-option>

                            <module-option name="roleNameAttributeID">cn</module-option>

                            <module-option name="allowEmptyPasswords">false</module-option>

                            <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                          </login-module>

                        </authentication>

                      </application-policy>

                    {code}

                     

                    The idea here is that it looks in the login user's entry for the memberOf attributes, which returns the groups and then gets the cn for each of these groups to match against the role I configure in the admin-console's web.xml

                    I see from a wireshark of the LDAP queries that it bind successfully and the queries ruturn as they should but I still get access denied.

                     

                    Option 2:

                     

                    {code:xml}

                      <application-policy name="jmx-console">

                        <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                            <module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>

                            <module-option name="java.naming.security.authentication">simple</module-option>

                            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                            <module-option name="bindDN">domain\searchuser</module-option>

                            <module-option name="bindCredential">search.user.passwd</module-option>

                            <module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>

                            <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                            <module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>

                            <module-option name="roleFilter">(member={1})</module-option>

                            <module-option name="roleRecursion">5</module-option>

                            <module-option name="roleAttributeID">cn</module-option>

                            <module-option name="allowEmptyPasswords">false</module-option>

                            <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                          </login-module>

                        </authentication>

                      </application-policy>

                    {code}

                     

                    The idea here is that it queries for all the groups that the login user is a member of and then to the cn of the group for the role to match against that configured in the web.xml.

                    Again I see the queries via wireshark and they seem to work.

                     

                     

                    The login user is definitely in the group that I'm using for the role.

                     

                    Any ideas? My next step is going to be to download the source and remote debug the login module. Is there something obvious I'm getting wrong?

                     

                    Thanks