There are plenty articles available describing how to set up parts of LDAP authentication for EJB3, but I battled to find an article which pulls everthing together (If I have missed one, please provide a link).  I will break the process we went through into four easy steps.

Step 1 : Login and browse your LDAP server

This is an important step since you need to verify that your LDAP connection and logon details are correct. You also need to make sure that your Distinguished Name (DN) is correct. We used an excellent LDAP Eclipse plugin by Apache to do this. After logging on (remember that your username needs a @ domain attached to it) we could browse our LDAP server and confirm that all our LDAP configuration was correct.

Make sure that your LDAP group (example : YourGroupName) has been configured properly and that all the members have been set up. This group is the security role you will configure on your ejb.

Step 2 : Setup you JBoss Security Domain (login-config.xml)

Configuring a JBoss LDAP Security Domain is really simple. The is a LDAP module available :

org.jboss.security.auth.spi.LdapLoginModule

Please refer to this comprehensive article for all the ways to configure the module. Our configuration looks as follows:

     <application-policy name="your-configured-security-domain">

        <authentication>

            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >

                <module-option name="java.naming.provider.url">ldap://ldap-server-name:1389/</module-option>

                <module-option name="rolesCtxDN">OU=Current,OU=User Accounts,OU=bar,DC=foo,DC=co,DC=za</module-option>

                <module-option name="matchOnUserDN">false</module-option>

                <module-option name="principalDNSuffix">@foo.co.za</module-option>

                <module-option name="uidAttributeID">sAMAccountName</module-option>

                <module-option name="roleAttributeID">memberOf</module-option>

                <module-option name="roleAttributeIsDN">true</module-option>

                <module-option name="roleNameAttributeID">name</module-option>

            </login-module>

        </authentication>

    </application-policy>

Step 3 : EJB3 setup

Now that we have our Security Domain configured, all we need to do now is to configure our EJB. Using the following standard Class Level annotation :

@SecurityDomain("your-configured-security-domain")

you tell your EJB which security domain to use. The next annotations tells your EJB which roles to allow (This is your LDAP group which your user should be a member of):

@RolesAllowed("YourGroupName")

This annotation can be put on a Class or method level depending on the granularity required. There are plenty of other annotations to configured the granularity (example : @PermitAll) but our requirement was to lock down all our EJB's remote interface calls with a single role.

Step 4 : EJB Client

When you get your initial context as a client, make sure that you use Login Initial Context Factory :

Properties prop = new Properties();

prop.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");

prop.put(Context.URL_PKG_PREFIXES, "jboss.naming:org.jnp.interfaces");

prop.put(Context.PROVIDER_URL, "jnp://localhost:1099");

prop.put(Context.SECURITY_PRINCIPAL, "username");

prop.put(Context.SECURITY_CREDENTIALS, "password");

prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");

And you are done.