5 Replies Latest reply: Nov 9, 2012 10:04 AM by Farid Adhami RSS

Can LdapExtLoginModule be used just for authentication and not authorization?

Farid Adhami Newbie

Hi,

 

I am not sure this forum is the best place to ask JAAS related questions. I am trying to use LdapExtLoginModule for authentication and another login module for authorization. I was able to configure LdapExtLoginModule in JBoss, but it tries to use LDAP LM for authorization, too and it fails because I don't have the requested roles in my ldap account.

 

The following is my login module configuration

 

                <security-domain name="domain-name">

                    <authentication>

                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="requisite">

                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                            <module-option name="java.naming.provider.url" value="ldap://LDAP Server URL"/>

                            <module-option name="bindDN" value="admin user dn"/>

                            <module-option name="bindCredential" value="admin user password"/>

                            <module-option name="baseCtxDN" value="..."/>

                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                            <module-option name="rolesCtxDN" value="..."/>

                            <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                            <module-option name="roleAttributeID" value="memberOf"/>

                            <module-option name="roleAttributeIsDN" value="true"/>

                            <module-option name="roleNameAttributeID" value="CN"/>

                            <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                            <module-option name="allowEmptyPasswords" value="false"/>

                        </login-module>

                        <login-module code="the authorization login module" flag="required" >

                                        ...

                        </login-module>

                    </authentication>

                </security-domain>

 

 

 

So, is there a way to configure or customize LdapExtLoginModule to just do the authentication?

 

Thanks

 

Farid

  • 1. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
    Travis De Silva Newbie

    Hi Farid,

     

    Were you able to solve this issue? I have the exact same requirement.

     

    I tried adding two login moduules. the LdapLoginModule and the DatabaseServerLoginModule which has a query on the rolesQuery module-option to get the roles assigned to the user.

     

    The LdapLoginModule works fine but the DatabaseServerLoginModule does not seem to be getting the roles. In fact when I do the trace and look at the logs, I notice it is by default activating the principalsQuery as well which I did not set. So maybe it is failing at this point.

     

    Any ideas how we can do this? Will I need to write my own custom login module?

     

    Cheers

    Travis

  • 2. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
    Farid Adhami Newbie

    I had to add the password stacking option like below to make it working.

     

                            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="requisite">

                               <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                <module-option name="java.naming.provider.url" value="ldap://LDAP Server URL"/>

                                <module-option name="bindDN" value="admin user dn"/>

                                <module-option name="bindCredential" value="admin user password"/>

                                <module-option name="baseCtxDN" value="..."/>

                                <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                <module-option name="rolesCtxDN" value="..."/>

                                <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                <module-option name="roleAttributeID" value="memberOf"/>

                                <module-option name="roleAttributeIsDN" value="true"/>

                                <module-option name="roleNameAttributeID" value="CN"/>

                                <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                                <module-option name="allowEmptyPasswords" value="false"/>

                                <module-option name="roleRecursion" value="0"/>

                                <module-option name="password-stacking" value="useFirstPass"/>

                            </login-module>

                            <login-module code="the authorization login module" flag="required" >

                                            ...

                                <module-option name="password-stacking" value="useFirstPass"/>

                            </login-module>

     

    With that LdapExtLoginModule will add the username and password to the shared state that will be used by the other login module to extract the related roles.

  • 5. Re: Can LdapExtLoginModule be used just for authentication and not authorization?
    Farid Adhami Newbie

    You should be able to do the authentication using LdapExtLoginModule. the issue I faced was I could not use the other login module to extract the roles provided by LDapExtLoginModule. Could you provide more detail on the issue you are facing?