Thanks for the response.
However, your suggestion doesn't address which login module (standard Ldap or Extended Ldap) is to be used.
More importantly, there's no definition of how to search for authorisation - roles.
My Ldap server requires the extended login module because roles(groups) are not in the same dierctory branch as inetOrgPerson.
Where did you obtain your information from so that I can look it over myself ?
Doubt ldap auth module is usable at this stage, I ve just looked into parser class that parses standalone.xml, and checked what exactly it looks for in xml, you can take a look at this (protected void parseLdapConnection method):
and go from there, until we get more documentation.
Seems I was wrong about the current state of AS7, anyway, you can configure ldap authentication this way in standalone.xml
<security-domain name="other" cache-type="default">
<login-module code="UsersRoles" flag="required"/>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<subsystem xmlns="urn:jboss:domain:ee:1.0"/> needs to be changed to
<module name="com.sun.jndi.ldap" slot="main"/>
else ModuleClassLoader won't load the com.sun.jndi.ldap.LdapCtxFactory which is needed in ldap auth modules, and obviously you ll need org.jboss.security.auth.spi.LdapExtLoginModule on classpath.
Thanks for the additional note Dejan.
I followed your suggestions and I'm almost working correctly now.
It looks like the Xml Parser has changed - I was required to convert every module-option tag so that the lowest level data element for the module-option tag was replaced by the attribute value= and the tag was converted to a self-closing tag:
<module-option name="allowEmptyPasswords" value="false"/>
After doing that and also inserting the global-modules element jboss 7 now starts with no errors.
I replaced my eclipse webapp project reference for JBoss 6 runtime library to jboss 7 runtime library.
The web application deployed with no error or warning messages.
Now, when I attempt to access a protected html resource I am correctly challenged to enter a user name and password. After I submit those items the browser pauses a long time (15-20 sec) and eventually the server connection is reset.
I was unable to determine how I could ensure that org.jboss.security.auth.spi.LdapExtLoginModule is on my classpath. With Jboss 6 I was not required to take any action like this. I presumed that the JBoss Server runtime library included this module and any others that might be required.
Perhaps this assumption is incorrect for JBoss 7 ?
This web app also attempts to perform JNDI lookups. With JBoss AS 7 the jndi.properties file is now not being loaded correctly so perhaps some additional tags are needed in standalone.xml.
I very much appreciate the time you spent digging into this issue. However, I can wait for the next release and some official documentation rather than ask you to spend any more time debugging this.
I've followed the same steps but i get the error
Login failure: javax.security.auth.login.LoginException: classe LoginModule introuvable : org.jboss.security.auth.spi.LodapLoginModule
I think l need org.jboss.security.auth.spi.LdapExtLoginModule on classpath of my application even if i've already added
<module name="sun.jdk" slot="main"/>
insted of :
<module name="com.sun.jndi.ldap" slot="main"/>
</subsystem> because this configuration didn't work for me
Looking at the error message there appears to be an error in how the class name is specified for the LoginModule.
The message shows org.jboss.security.auth.spi.LodapLoginModule but it should be org.jboss.security.auth.spi.LdapLoginModule
You should however be able to specify LdapExtended instead of the fully qualified class name of the module.
You are correct - for JBoss 7.1.0.Final (standalone-full-xml) I was able to configure LdapExtLoginModule.
I also used the suggestion at https://community.jboss.org/thread/174590 to add another module-option <module-option name="throwValidateError" value="true"/> although it wasn't needed because my login worked first time. Not my normal experience but I'm sure not complaining.
I deliberately delayed working on this until the fully certified version of JBoss7 was available. That may have saved me some grief too.
I didn't define a global subsystem as badr described earlier. JBoss 7 found the module with no problems and my webapp worked unchanged from the JBoss6 version.
Updated Feb 25: It was too good to be true. It turns out that I tested with a username/password which I had previously defined in the ManagementRealm so my Ldap server never saw the request. When I tried it subsequently with a username/password unique to the Ldap server, it all fell apart.
For my testing I try to browse to a protected web page and the security framework intercepts and demands a username and password. After I enter them and submit the form, the browser remains at the page ending with j_security_check and never does forward to the protected page. A blank page with no HTML is what the browser sees. The server gives no warning or error messages in it's console log.
I am giving up using Ldap with Jboss. I reported the Ldap problems in 2008 at https://issues.jboss.org/browse/SEAMSECURITY-6. I've been waiting for a resolution since then.
Well, I'm now retired so I do not need to authenticate against a corporate directory any longer.
As you can guess I'm pretty disillusioned. I guess there must not be too many people trying to use LdapExtLoginModule ......
One more update:
It looks like the userid and password were actually being accepted by the security system. If I open another tab and try to access the protected page, I immediately see the protected page. In my case that page is a jsp page that tests for the roles that the authenticated user is in - so I am able to also verify that the extended search capabilities of LdapExtLoginModule are working correctly.
There must be a minor bug somewhere within the Jboss security framework that is not forwarding the browser to a protected page after authentication succeeds using LdapExtLogin Module.
So close to a working framework ..... unfortunately I can't use this in production - users would laugh at the work around.
What were you guys putting in your web.xml file or jboss-web.xml to tell your web-app to use your custom ldap realm?
<login-config> <auth-method>FORM</auth-method> <auth-name>myldapdomain</auth-name> <form-login-config> <form-login-page>/pages/login.jsf</form-login-page> <form-error-page>/pages/core/loginError.xhtml</form-error-page> </form-login-config> </login-config>